Plug-in Question

Alan DeKok aland at deployingradius.com
Fri Jul 6 10:35:21 CEST 2007


Tomas Hoger wrote:
> Isn't "authorize" better place for that?  Even name suggests
> authorization should be done there... ;)

  No.  "authorize" is run before authentication for historical reasons.

  Policies should really be applied *after* a user authenticates, which
means post-auth.

> Just wondering whether there's a good reason for not doing it in
> authorize and postpone it until post-auth.  Besides using more common
> order of authentication and authorization steps.

  The common order is authentication, then authorization.  FreeRADIUS
mixes up the names for historical reasons.

  Alan DeKok.




More information about the Freeradius-Users mailing list