At 06:53 AM 7/16/2002 -0500, Vic Abell wrote:
>I'm new to the Radius protocol, just having finished
>implementing a module for access to a private
>authentication service.
>
>During development one thing struck me as odd:
>authorization checks are done before the entity being
>authorized is authenticated.
>
>It's been my experience that before an entity is
>authorized it should be asked to prove itself via
>authentication.
>
>Why does the Radius protocol reverse the order of
>authentication and authorization?
The FreeRADIUS authorization process retrieves the
attribute information needed to perform the authentication
process. IE, retrieving a password, setting the auth-type
to use CHAP, PAP, EAP, etc. You can't authenticate the user
until you know how you are supposed to authenticate them. That
means pulling the password info.
The authorization information is *not* sent back to the NAS
unless the users is successfully authenticated, so there is
no exposure of info ( unless very poorly configured ). Why
do two lookups ( one to get password, one to get author info )
when you can do one lookup to get all info?
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
