"L.C. (Laurentiu C. Badea)" <[EMAIL PROTECTED]> wrote: > I am having some difficulty understanding why the authorize section > has that name. It does not authorize anything per se, and in fact > that word does not appear in the phrase if you try to describe what > it actually does (which seems to be: define the processing pipeline > for a given request).
It authorizes users to use a particular authentication protocol, among other things. > This is the way I kind of expected it to be: > > "Authentication" answers the question: "are these credentials valid for this > user ?". If not, then we reject the user and do not go any further. > > "Authorization" answers the question: "is this user allowed to access the > resource at this time ?" i.e. authentication protocol. Also, if the user isn't allowed to log in at *all* right now, then there's no need to authenticate them. They aren't authorized to do anything. > and it usually assumes a preauthenticated user. Your assumption is wrong. > According to the above, only the last two items in that section > actually belong there (daily and checkval). Lumping everything else > together in that section makes the config file difficult to "parse" > due to known concepts being given different meanings. The server has no problem parsing the configuration file. The semantics of that section are well-defined. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html