24-Dec-02 at 09:35, Scott Bartlett ([EMAIL PROTECTED]) wrote : > For example, it says: "Authorization is a process of obtaining > information about the user from external source (file, database or > LDAP), and checking that the information in request is enough to > authenticate user. <cut> > The authentication method is decided during the authorization phase. > <more>". These lines don't gell with me at all. Especially as 'aaa' > stands for 'Authentication, Authorization and Accounting' and not > 'Authorization, Authentication, and Accounting'... :-)
Well.. you're right and wrong. FreeRADIUS allows people to authenticate via several different mechanisms from the same master daemon process (radiusd), so it has to check each available mechanism to find out which one authorises the user (if any) before authenticating him against the correct mechanism So it's :- - check all available authentication mechanisms as defined - establish which will authenticate this user (actually preprocessing - hints -> realms -> users), although this *is* called authorization in the config file radiusd.conf - authenticate against mechanism (authentication) - possibly fall back to another on auth fail (fallback) - then supply, on successful authentication, the radius attribute results (login authorization)->(accounting) It's just more complex than your average model of just authenticate then authorize... maybe the section /should/ be called "preprocess" or "check_auth_method" or something... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html