Hi,
Following this thread, and specifically the text quoted below, you'll note that the
concept of authorization is not different in FreeRadius than in other RADIUS
implementations. A key point to note is that you can't authenticate without knowing
the authentication method first. So in order to save an unnecessary extra lookup,
FreeRadius' authorization process peeks into the attributes to discover authentication
methodology prior to authentication *but* also implements the RADIUS standard
authorization functionality ("hello authenticated user, here is what you're allowed to
do") *after* the authentication process completes.
--
Mike
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 17, 2002 2:27 AM
To: [EMAIL PROTECTED]
Subject: Re: a question of philosophy
>
> The FreeRADIUS authorization process retrieves the
> attribute information needed to perform the authentication
> process. IE, retrieving a password, setting the auth-type
> to use CHAP, PAP, EAP, etc. You can't authenticate the user
> until you know how you are supposed to authenticate them. That
> means pulling the password info.
>
> The authorization information is *not* sent back to the NAS
> unless the users is successfully authenticated, so there is
> no exposure of info ( unless very poorly configured ). Why
> do two lookups ( one to get password, one to get author info )
> when you can do one lookup to get all info?
>
So the "authorization" in the FreeRadius is different from the usual
concept. If I am not correct, please correct me, thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
���b��?���r��{�����r��y'���i��0���z����(�����ǫ��f�������������������������������������
