Sam Hartman wrote: > Luke> Isn't then the dictionary just another configuration file? > Yes. For that use it's probably OK. However it requires you get the > dictionary set up correctly even if your application understands what > RADIUS attribute it wants.
If the application understands the attributes it wants, the dictionaries can be statically defined. The dictionaries are mainly used by *administrators* to create authorization policies. "If I see FOO with value BAR, do something". The definition of FOO is in the dictionary, which maps bytes in the RADIUS packet to "data type for BAR". The "do something" part is controlled by the administrator, and can be pretty much anything from "run a shell script" to "return other attributes". RADIUS clients have traditionally been very limited. They request a particular kind of authorization/authentication. They receive either a NAK or an ACK. The ACK contains specific details about the requested authorization, such as IP address assignment. If the ACK contains authorizations for things the client *didn't* ask for, the client ignores them, because the authorizations are inappropriate. Even if the client understands the attributes, it doesn't know what to do with them, because they don't fit within an existing authorization framework. Alan DeKok. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
