Dear Vic Abell,
--Tuesday, July 16, 2002, 5:53:45 PM, you wrote to [EMAIL PROTECTED]: >> >> Secretary: do you have an appointment? >> Mr. Abell: Yes, my name is Vic Abel VA> In this new an suspicious age, that wouldn't be the exchange. VA> It would be: VA> Secretary: Do you have an appointment? VA> Mr. Abell: Yes, my name is Vic Abell VA> Scretary: May I please see some identification? VA> Mr. Abell: Yes, here is my picture ID card, or my retina scan, *** After secretary finds your file by you name (it's authorization, she finds "who is Mr. Abell?") and compares data from file with one provided by you (it's authentication, "Is it really Mr. Abell?"). It's impossible to answer "Is it really Mr. Abel?" before we found "Who is Mr. Abel?". RADIUS protocol itself doesn't have authorization and authentication (like TACACS+ does), it's authentication protocol, and it's called by NAS to authenticate user. All information (for example username and password) is usually transmitted in the single packet. RADIUS replies with a data which helps NAS to authorize the user if he authenticated. In FreeRADIUS authorization and authentication are referred to _internal_ process of gathering information about user, including his valid password or key and appropriate authentication mechanism (authorization) and checking user's validity (authentication). This it not related to process of user's authentication and authorization, because RADIUS never deals with user, it works with NAS. All the work in the above example before *** is not related to RADIUS and performed by NAS before RADIUS is ever called. VA> Scretary: May I please see some identification? is related to NAS, not to RADIUS. -- ~/ZARAZA Ну а теперь, Уильям, хорошенько поразмыслите над данным письмом. (Твен) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
