RADIUS Server Features In Deep

IEEE 802.11 authentication is supported to provide access control to wireless routers, access points, hotspots in EAP/WPA-Enterprise/WPA2-Enterprise modes. Password-based PEAP (EAP-MS-CHAPv2) and certificate based EAP-TLS and PEAP (EAP-TLS) protocols are supported by most wireless clients and are implemented in ClearBox.

Any RADIUS request may be processed in several ways depending on defined rules. Any request RADIUS attribute, sender address, user name pattern or even SQL dynamic query may be used to handle authentication and/or accounting request independently.

Say, "authenticate all request from 192.168.1.3 against Active Directory, and use internal database for all other clients" scenario is configured with several mouse clicks.

Multiple independent authentication backends are supported. RADIUS requests may be authenticated against Active Directory/Windows domains, local Windows groups and accounts, LDAP directories, ClearBox internal user accounts database, any SQL-compliant data sources including SQL servers, Excel tables and even plain text files.

ClearBox embraces SQL commands and stored procedures to control almost any aspect of request processing, such as authenticating it, logging authentication status, checking or adding RADIUS attributes in request or response.

SQL data sources may even be used to store ClearBox configuration: such meta-configuration allows to control the RADIUS server by external applications.

Besides simple forwarding RADIUS requests, ClearBox running in proxy mode allows to modify both outgoing and incoming forwarded packets. Local authentication and accounting processing may be applied prior to forwarding. Load balancing is applied when forwarding RADIUS requests to multiple remote RADIUS servers.

ClearBox comes with a bunch of vendors-specific RADIUS attributes dictionaries (VSA) (VSA for Cisco, Microsoft, Ascend, Quintum, Colubris, Slipstream, Nomadix, IP3Networks, WISPr, Acme, Citrix, DSL Forum, Fortinet, Ruckus, Juniper, Nortel, Dialogic, Mikrotik, RuggedCom, Cantata, etc), and any vendor-specific dictionaries can be added.

You may add, modify, delete user accounts in the built-in database. Passwords, access policy, double logon prevention, MAC address authentication, restricted logon hours are managed via administrative interface. The database may be migrated easily to an external SQL server.

ClearBox supports for multiple accounting RADIUS records consumers. SQL data storage, plain files, remote RADIUS servers are all supported as accounting data consumers, and my be fed in parallel. Advanced techniques, like caching data in MS Message Queue, increase the system scalability and fault tolerance.

ClearBox Server implements RFC5176 and provides HTTP API to send "Disconnect" and "Change-of-Authorization" (CoA) messages to RADIUS clients (routers) which act as RADIUS servers in this case. These messages may change user session parameters or even terminate it.

ClearBox Server extends RADIUS authentication with advanced authorization process: "Black" lists of prohibited attributes, "Check" lists of required attributes and "Response" list of attributes to be included in response can be retrieved from SQL data sources or LDAP directories.

Normal authentication process with a user name and password can be enforced with the second authentication stage, when user has to provide one-time password, generated on his mobile device or desktop app

Integration with this powerful tracing tool allows to get full insight into what happens in the server, how many requests have been processed, how fast they are processed, and what interactions with authentication backends consume more time. Bottlenecks in the system performance can no longer hide.

ClearBox Server can be run inside a cloud-based Windows machine (say, in Amazon EC2 cloud) and/or integrate with AWS Directory Service. Docker image support is pending.