Plug-in Question

Alan DeKok aland at deployingradius.com
Fri Jul 6 13:57:21 CEST 2007


Tomas Hoger wrote:
> Yes, authenticate, authorize is the order most commonly used.  But I
> think it may still be acceptable to apply policies before
> authenticating user, e.g. if authentication if more "expensive"
> (either in terms of time or CPU usage).  Few examples:

  Yes.  I've had that discussion before (off-list) with people who are
surprised that FreeRADIUS permits policies to be run before users are
authenticated.

  e.g. Users on NAS X aren't supposed to do EAP.  So if they try, reject
them immediately.  This also mitigates certain kinds of DoS attacks.

  Alan DeKok.



More information about the Freeradius-Users mailing list