Hi all (and season's greetings), Just an observation:
In FR 0.8, the file /docs/aaa.txt describes 'authorization' and 'authentication' from FreeRadius' point of view and process. My own general (i.e. non-FreeRadius) understanding of these phrases (in non-technical terms), as applied to any generic aaa system, is: Authenticate: proving the user is who they say they are. Authorization: setting limits on what the user can and cannot do. Indeed, to pick a definition out of the air, http://www.ietf.org/internet-drafts/draft-ietf-aaa-transport-10.txt defines these words thus: Authentication The act of verifying a claimed identity, in the form of a pre- existing label from a mutually known name space, as the originator of a message (message authentication) or as the end-point of a channel (entity authentication). Authorization The act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential. In the general sense above, for any kind of system requiring aaa, the user would 'authenticate' first and then be 'authorized' to do stuff. There might be a bit of twiddling at a lower level unseen by the masses, but this is the essence of the procedure (then followed of course by 'accounting'). My reading of /docs/aaa.txt - which is very FreeRadius specific and detailed - gives me the impression that FreeRadius doesn't seem follow that analogy (at least linguistically speaking, if not technically too) and has possibly left me more confused than before as to what FreeRadius is actually doing when and why. Not that I really need to know (hey, it works for me!), but I'm curious. I'm cool with what /docs/aaa.txt is telling me FreeRadius actually does - I'm just not feeling comfortable with the uses of the words 'authenticate' and 'authorize' in there. For example, it says: "Authorization is a process of obtaining information about the user from external source (file, database or LDAP), and checking that the information in request is enough to authenticate user. <cut> The authentication method is decided during the authorization phase. <more>". These lines don't gell with me at all. Especially as 'aaa' stands for 'Authentication, Authorization and Accounting' and not 'Authorization, Authentication, and Accounting'... :-) Is this just me (am I on the wrong track here?)? If I'm still a bit confused having been a user of FreeRadius for over a year, I'm a bit worried about new users having a hard time of it... Regards! SB Scott Bartlett BTA Limited, London, UK e: scott at bta dot com e: scott at frontios dot com --- This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of BTA Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
