ClearBox TACACS+ RADIUS Server In Deep

ClearBox TACACS+ server offers an outstanding flexibility with multiple AAA policies. Each authentication/authorization/accounting policy may be chosen and applied to a user according to his domain, membership in a specific domain group, or a requested privilege level or service. It allows to implement so-called access matrix: many companies want to grant different access levels to its network equipment (routers, gateways, etc.) to different group of employers, looking at their domain groups membership.


ClearBox offers two ways to control user authorization, i.e. what he is allowed when connected to the network. The first one is per-service authorization, when you may explicitly define what services (shell, ip, lcp, etc.) are allowed.
The second one is per-command authorization: what commands are granted or prohibited on a network server.

Current version: 5.2.1

Top 12 Main Features of TACACS+ Server

Full TACACS+ Protocol Implementation

ClearBox provides complete implementation of the TACACS+ protocol as is compliant with any TACACS+ clients vendors like Cisco, Fortigate, Aruba, Juniper, Citrix and other.

Besides, any arbitrary TACACS+ authorization and accounting attributes are supported

Policy-based Configuration

Any request may be processed in several ways depending on defined rules. Any request attribute, sender address, user name pattern may be used to determine how to handle each authentication and/or accounting request.

Say, "authenticate all request from 192.168.1.3 against Active Directory, and use internal database for all other clients" scenario is configured in several mouse clicks.

Per command authorization

One of the unique TACACS+ features is its ability to control (authorize) each command that your stuff issues on the network equipment (so called "per-command authorization"). ClearBox is definitely strong here, embracing power of regex (regular expressions) to describe allowed commands in a short way.

Multiple Authentication Backends

Multiple authentication backends may be used to authenticate users. RADIUS requests may be authenticated against Active Directory/Windows domains, local Windows groups and accounts, LDAP directories, ClearBox internal user accounts database, any SQL-compliant data sources including SQL servers, Excel tables and even plain text files.

Ubiquitous SQL Scripting

ClearBox utilizes SQL queries or stored procedures to control almost any aspect of request processing, such as verifying user credentials, logging authentication status, or choosing allowed commands.

Interoperability

ClearBox comes with many vendors-specific RADIUS attributes dictionaries, and they can be extended with any vendor-specific attributes. Support for H323 Cisco and Quintum attributes is at the server core level.

Built-in User Accounts Management

You may add, modify, delete user accounts using ClearBox built-in database. Passwords, access policy, double logon prevention, MAC address authentication, restricted logon hours may be managed via ClearBox administrative interface.

Multiple Accounting Consumers

ClearBox supports for logging accounting RADIUS records in several ways simultaneously. SQL data storage, plain files, remote RADIUS servers are all supported. Advanced techniques, like caching data in MS Message Queue, increase the system scalability and fault tolerance.

Authorization Access Matrix

Easy to set up user groups with different access to different equipment sets. Existing AD groups and users are fully supported, too.

Second Factor Authentication with TOTP

Normal authentication process with a user name and password can be enforced with the second authentication stage, when user has to provide one-time password, generated on his mobile device or desktop app

Jaeger Tracing

Integration with this powerful tracing tool allows to get full insight into what happens in the server, how many requests have been processed, how fast they are processed, and what interactions with authentication backends consume more time. Bottlenecks in the system performance can no longer hide.

Cloud Integration

ClearBox Server can be run inside a cloud-based Windows machine (say, in Amazon EC2 cloud) and/or integrate with AWS Directory Service. Docker image support is pending.