ClearBox TACACS+ RADIUS Server In Deep

ClearBox TACACS+ server offers an outstanding flexibility with multiple AAA policies. Each authentication, authorization, or accounting policy may be selected by a user domain, its membership in a domain group, or a requested privilege level or service. It allows to implement so-called access matrix. Suppose, a company grants different access levels to its network equipment (routers, gateways, etc.) looking at a user group membership.

ClearBox offers two ways to control user authorization, i.e. what he is allowed when connected to the network. The first is per-service authorization, when you may explicitly define what services (shell, ip, lcp, etc.) are allowed.
The second is per-command authorization: what commands are granted or prohibited on a network server.

Main Features

Full TACACS+ Protocol Implementation

ClearBox provides complete implementation of the TACACS+ protocol as is compliant with any TACACS+ clients vendors like Cisco, Fortigate, Aruba, Juniper, Citrix and other.

Besides, any arbitrary TACACS+ authorization and accounting attributes are supported

Policy-based Configuration

Any request may be processed in several ways depending on defined rules. Any request attribute, sender address, user name pattern may be used to handle request authentication and/or accounting independently.

Say, "authenticate all request from against Active Directory, and use internal database for all other clients" scenario is available in several clicks.

Per command authorization

One of the reasons to apply TACACS+ is to control each command that your stuff issue on the network equipment (so called per-command authorization). ClearBox is definitely strong here, brining regex power to describe allowed commands in a short way.

Multiple Authentication Backends

Several independent authentication backends are supported. RADIUS requests may be authenticated against Active Directory/Windows domains, local Windows groups and accounts, LDAP directories, ClearBox internal user accounts database, any SQL-compliant data sources including SQL servers, Excel tables and even plain text files.

Full SQL Scripting

CleasrBox allows to use SQL queries or stored procedures to control almost any aspect of request processing, such as authenticating it, logging authentication status, choosing allowed commands.


ClearBox is shipped with many vendors-specific RADIUS attributes dictionaries, and it can be extended with any vendor-specific attributes. Support for H323 Cisco and Quintum attributes is at the server core level.

Built-in User Accounts Management

You may add, modify, delete user accounts using ClearBox built-in database. Passwords, access policy, double logon prevention, MAC address authentication, restricted logon hours may be managed via ClearBox administrative interface.

Multiple Accounting Consumers

ClearBox supports for logging accounting RADIUS records in several ways simultaneously. SQL data storages, plain files, remote RADIUS servers are all supported. Advanced techniques, like caching data in MS Message Queue, increase the system scalability and fault tolerance.

Authorization Access Matrix

Easy to set up user groups with different access to different equipment sets. Existing AD groups and users are fully supportted, too.