Hi Alan! On 7/5/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > George Beitis wrote: > > ... I will use a policy engine to do that > > and i want to overwrite the final decision if the user is not authorized > > based on my policy. > > > > Is postauth the right place to do this? > > Yes. > > But you can't turn a reject into an accept. You can only turn an > accept into a reject.
Isn't "authorize" better place for that? Even name suggests authorization should be done there... ;) Just wondering whether there's a good reason for not doing it in authorize and postpone it until post-auth. Besides using more common order of authentication and authorization steps. th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
