ClearBox RADIUS Server In Deep

Enterprise version of ClearBox RADIUS server may boast many features needed in large environments with high demand for performance, scalability and failover.


ClearBox provides centralized authentication and administration for thousands and even millions of entities users and clients.

Current version: 8.0.1

Top 13 Main Features of the RADIUS Server

Wireless Authentication

IEEE 802.11 authentication is supported to provide access control to wireless routers, access points, hotspots in EAP/WPA-Enterprise/WPA2-Enterprise modes. Password-based PEAP (EAP-MS-CHAPv2) and certificate based EAP-TLS and PEAP (EAP-TLS) protocols are supported by most wireless clients and are implemented in ClearBox.

Policy-based Configuration

Any RADIUS request may be processed in several ways depending on defined rules. Any request RADIUS attribute, sender address, user name pattern or even SQL dynamic query may be used to handle authentication and/or accounting request independently.

Say, "authenticate all request from 192.168.1.3 against Active Directory, and use internal database for all other clients" scenario is configured with several mouse clicks.

Multiple Authentication Backends

Multiple independent authentication backends are supported. RADIUS requests may be authenticated against Active Directory/Windows domains, local Windows groups and accounts, LDAP directories, ClearBox internal user accounts database, any SQL-compliant data sources including SQL servers, Excel tables and even plain text files.

 

SQL Scripting

ClearBox embraces SQL commands and stored procedures to control almost any aspect of request processing, such as authenticating it, logging authentication status, checking or adding RADIUS attributes in request or response.

SQL data sources may even be used to store ClearBox configuration: such meta-configuration allows to control the RADIUS server by external applications.

Advanced RADIUS Proxy

Besides simple forwarding RADIUS requests, ClearBox running in proxy mode allows to modify both outgoing and incoming forwarded packets. Local authentication and accounting processing may be applied prior to forwarding. Load balancing is applied when forwarding RADIUS requests to multiple remote RADIUS servers.

Interoperability

ClearBox comes with a bunch of vendors-specific RADIUS attributes dictionaries (VSA) (VSA for Cisco, Microsoft, Ascend, Quintum, Colubris, Slipstream, Nomadix, IP3Networks, WISPr, Acme, Citrix, DSL Forum, Fortinet, Ruckus, Juniper, Nortel, Dialogic, Mikrotik, RuggedCom, Cantata, etc), and any vendor-specific dictionaries can be added.

 

Built-in User Accounts Management

You may add, modify, delete user accounts in the built-in database. Passwords, access policy, double logon prevention, MAC address authentication, restricted logon hours are managed via administrative interface. The database may be migrated easily to an external SQL server.

Multiple Accounting Consumers

ClearBox supports for multiple accounting RADIUS records consumers. SQL data storage, plain files, remote RADIUS servers are all supported as accounting data consumers, and my be fed in parallel. Advanced techniques, like caching data in MS Message Queue, increase the system scalability and fault tolerance.

Dynamic Authorization Extensions

ClearBox Server implements RFC5176 and provides HTTP API to send "Disconnect" and "Change-of-Authorization" (CoA) messages to RADIUS clients (routers) which act as RADIUS servers in this case. These messages may change user session parameters or even terminate it.

Authorization Policies

ClearBox Server extends RADIUS authentication with advanced authorization process: "Black" lists of prohibited attributes, "Check" lists of required attributes and "Response" list of attributes to be included in response can be retrieved from SQL data sources or LDAP directories.

Second Factor Authentication with TOTP

Normal authentication process with a user name and password can be enforced with the second authentication stage, when user has to provide one-time password, generated on his mobile device or desktop app

Jaeger Tracing

Integration with this powerful tracing tool allows to get full insight into what happens in the server, how many requests have been processed, how fast they are processed, and what interactions with authentication backends consume more time. Bottlenecks in the system performance can no longer hide.

Cloud Integration

ClearBox Server can be run inside a cloud-based Windows machine (say, in Amazon EC2 cloud) and/or integrate with AWS Directory Service. Docker image support is pending.