Tomas Hoger wrote: > Yes, authenticate, authorize is the order most commonly used. But I > think it may still be acceptable to apply policies before > authenticating user, e.g. if authentication if more "expensive" > (either in terms of time or CPU usage). Few examples:
Yes. I've had that discussion before (off-list) with people who are surprised that FreeRADIUS permits policies to be run before users are authenticated. e.g. Users on NAS X aren't supposed to do EAP. So if they try, reject them immediately. This also mitigates certain kinds of DoS attacks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html