On Tue, Dec 24, 2002 at 10:03:45AM -0500, Alan DeKok wrote: > "Scott Bartlett" <[EMAIL PROTECTED]> wrote: > > Indeed, to pick a definition out of the air, > > http://www.ietf.org/internet-drafts/draft-ietf-aaa-transport-10.txt > > defines these words thus: > > > > Authentication > > The act of verifying a claimed identity, in the form of a pre- > > existing label from a mutually known name space, as the > > originator of a message (message authentication) or as the > > end-point of a channel (entity authentication). > > > > Authorization > > The act of determining if a particular right, such as access > > to some resource, can be granted to the presenter of a > > particular credential. > > Agreed 100%. > > Question: How do you determine how the server authenticates someone? > Answer : You check which authentication method they are authorized > to use.
That's not authorization, that's selection of an authentication source. It could be construed as "authorization" in some larger sense of the word, but in the security community, and specifically wrt "AAA", this is NOT authorization[1]. That is, Alan, you are correct, it is in some sense authorization, but not in the sense that AAA uses it. In your example, the principal has not yet presented a credential. In the AAA model, it is in the authentication step where a credential is obtained for SUBSEQUENT authorization. You cannot authorize an unverified identity (in the AAA model). > I think I'm going to write some long text in 'doc/aaa.txt', telling > people that all of their analogies and ad-hoc models are wrong. The > server is designed the way it is because it works. Not because it's > perfect, as there's always room for improvements. But it works. FR's use of the term authorization is the one that's ad-hoc. AAA is not a generic term for some generic meanings of each "A", it is a specific definition. The RADIUS protocol doesn't present an explicit authorization, that is, it doesn't follow the AAA model very well. This is a large source of confusion which FR's configs and docs aggravate. Again, it's not that you are wrong about "authorization", it's that FR does not conform to the specific definition of authorization in the AAA model. How about 'auth_selection' to replace 'authorization'? Now that the issue has been raised, FR really should update it's terminology to be consistent with standards. /fc [1] Not explicitly, anyway. It *is* an *implicit* form of authorization, but that's something different and not congruent with AAA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html