6 Jul
2007
6 Jul
'07
7:57 a.m.
Tomas Hoger wrote:
Yes, authenticate, authorize is the order most commonly used. But I think it may still be acceptable to apply policies before authenticating user, e.g. if authentication if more "expensive" (either in terms of time or CPU usage). Few examples:
Yes. I've had that discussion before (off-list) with people who are surprised that FreeRADIUS permits policies to be run before users are authenticated. e.g. Users on NAS X aren't supposed to do EAP. So if they try, reject them immediately. This also mitigates certain kinds of DoS attacks. Alan DeKok.