ClearBox TACACS+ server offers an outstanding flexibility with multiple AAA policies. Each authentication/authorization/accounting policy may be chosen and applied to a user according to his domain, membership in a specific domain group, or a requested privilege level or service. It allows to implement so-called access matrix: many companies want to grant different access levels to its network equipment (routers, gateways, etc.) to different group of employers, looking at their domain groups membership.
ClearBox offers two ways to control user authorization, i.e. what he is allowed when connected to the network. The first one is per-service authorization,
when you may explicitly define what services (shell, ip, lcp, etc.) are allowed.
The second one is per-command authorization: what commands are granted or prohibited on a network server.
ClearBox provides complete implementation of the TACACS+ protocol as is compliant with any TACACS+ clients vendors like Cisco, Fortigate, Aruba, Juniper, Citrix and other.
Besides, any arbitrary TACACS+ authorization and accounting attributes are supported
Any request may be processed in several ways depending on defined rules. Any request attribute, sender address, user name pattern may be used to determine how to handle each authentication and/or accounting request.
Say, "authenticate all request from 192.168.1.3 against Active Directory, and use internal database for all other clients" scenario is configured in several mouse clicks.
One of the unique TACACS+ features is its ability to control (authorize) each command that your stuff issues on the network equipment (so called "per-command authorization"). ClearBox is definitely strong here, embracing power of regex (regular expressions) to describe allowed commands in a short way.
Multiple authentication backends may be used to authenticate users. RADIUS requests may be authenticated against Active Directory/Windows domains, local Windows groups and accounts, LDAP directories, ClearBox internal user accounts database, any SQL-compliant data sources including SQL servers, Excel tables and even plain text files.
ClearBox utilizes SQL queries or stored procedures to control almost any aspect of request processing, such as verifying user credentials, logging authentication status, or choosing allowed commands.
ClearBox comes with many vendors-specific RADIUS attributes dictionaries, and they can be extended with any vendor-specific attributes. Support for H323 Cisco and Quintum attributes is at the server core level.
You may add, modify, delete user accounts using ClearBox built-in database. Passwords, access policy, double logon prevention, MAC address authentication, restricted logon hours may be managed via ClearBox administrative interface.
ClearBox supports for logging accounting RADIUS records in several ways simultaneously. SQL data storage, plain files, remote RADIUS servers are all supported. Advanced techniques, like caching data in MS Message Queue, increase the system scalability and fault tolerance.
Easy to set up user groups with different access to different equipment sets. Existing AD groups and users are fully supported, too.