6 Jul
2007
6 Jul
'07
2:59 a.m.
Hi Alan! On 7/5/07, Alan DeKok <aland@deployingradius.com> wrote:
George Beitis wrote:
... I will use a policy engine to do that and i want to overwrite the final decision if the user is not authorized based on my policy.
Is postauth the right place to do this?
Yes.
But you can't turn a reject into an accept. You can only turn an accept into a reject.
Isn't "authorize" better place for that? Even name suggests authorization should be done there... ;) Just wondering whether there's a good reason for not doing it in authorize and postpone it until post-auth. Besides using more common order of authentication and authorization steps. th.