On 28 Mar 2014, at 19:24, Lovaas,Steven <Steven.Lovaas@ColoState.EDU> wrote:
Arran, I think you're onto a very important point... especially for those of us who benefit from the visual in our learning habits. I personally benefited a lot by drawing out the basics of RADIUS in general and the FreeRADIUS server in particular, so that I could communicate with our network team and get our old servers updated to support the roll-out of eduroam on our campus. Your suggestion of some expansion and graphic help for the overall layout resonates with me... mental models, concept maps, and all that. A picture can help cement the basic landscape, and make more advanced conversations easier to sustain.
I'm in a busy mode and it will take me a while (no promises before summer?), but I'll commit to putting this kind of thing together.

Simple stuff like this is good.
That took about two hours. Even I don't know the intricacies of all the flows within the server.
The dotted lines represent when the request can loop back into a section. As far I can tell
Authorize and Post-Auth are the only places this can happen.
It happens when the request starts off in one section and then something happens that requires
it to run through a different part of the same section.
For authorize that's setting control:Autz-Type to something, and then the request leaving the
section. For Post-Auth, it's rejecting the request.
Oddly, if you start off in the main Pre-Proxy-Type section, and set control:Pre-Proxy-Type it doesn't
loop back round into the Pre-Proxy-Type you set, it just carries on and proxies the request.
-Arran