John Dennis wrote:
You're both right, now shake hands and make up :-) The problem with the term authorization in radius is used in a non-standard way that leads to confusion. The normal use of the term authorization (authz) indicates what a principal is permitted to do and a principal must be validated via authentication (authn) first. In radius authorization means collecting information necessary to perform the authentication operation. It's an unfortunate semantic difference that leads to a fair amount of confusion (myself included), but after a while you get used to it.
It was a historical mistake in FreeRADIUS which has been kept for too long. After 3.0 is released, we'll transition to a naming scheme that's a little more complex, but much clearer. The idea is that every packet has 3 stages: recv = receive the packet process = process the packet send = send the reply We can map the existing authorize / authenticate / etc. to these processing stages. That change will be initially confusing, but will be simpler. It will also enable the server to do more protocols that are in the works. :) Alan DeKok.