Tomas Hoger wrote: > Isn't "authorize" better place for that? Even name suggests > authorization should be done there... ;)
No. "authorize" is run before authentication for historical reasons. Policies should really be applied *after* a user authenticates, which means post-auth. > Just wondering whether there's a good reason for not doing it in > authorize and postpone it until post-auth. Besides using more common > order of authentication and authorization steps. The common order is authentication, then authorization. FreeRADIUS mixes up the names for historical reasons. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html