Alan DeKok writes: > > "Vic Abell" <[EMAIL PROTECTED]> wrote: > > I don't think someone should be authorized before the claimed identity > > has been authenticated. Otherwise authorization might be given to > > someone falsely claiming an identity. > > Nonsense. The authorization isn't returned to the caller until > after they've been authenticated.
No, it's not nonsense. The secretary's telling me that Vic Abell has an appointment gives away potentially useful information. It's like a login program telling an intruder that the login exists, but the intruder hasn't yet specified the correct authentication. That's an invitation to try again. However, because the RADIUS protocol doesn't seem to have separate returns for authorization and authentication results, it's not giving the client a hint that the attempt is worth retrying with a different password. You gave an explanation much more acceptable to me in separate e-mail when you said: > The issue is that one of the authorization parameters is which > authentication methods you are allowed to use. So the control flow > should really go like: > > authorize which authentication type > do authentication > if authenticated, give additional authorization. I completely overlooked the feature of the RADIUS protocol and server that allows multiple authentication methods to be applied. In that case it is clearly useful to authorize the authentication type first. Thanks for your useful contributions to my understanding of the RADIUS protocol. Vic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
