Plug-in Question

George Beitis gb85 at kent.ac.uk
Fri Jul 6 09:50:12 CEST 2007


Tomas
you actually made a very good point :)  I didn't realize there was an
authorize part in the work flow of freeradius.  That would be before
postauth, are there any other steps after "authorize" and before post auth?

kind regards
George

Tomas Hoger wrote:
> Hi Alan!
>
> On 7/5/07, Alan DeKok <aland at deployingradius.com> wrote:
>   
>> George Beitis wrote:
>>     
>>> ...  I will use a policy engine to do that
>>> and i want to overwrite the final decision if the user is not authorized
>>> based on my policy.
>>>
>>> Is postauth the right place to do this?
>>>       
>>   Yes.
>>
>>   But you can't turn a reject into an accept.  You can only turn an
>> accept into a reject.
>>     
>
> Isn't "authorize" better place for that?  Even name suggests
> authorization should be done there... ;)
>
> Just wondering whether there's a good reason for not doing it in
> authorize and postpone it until post-auth.  Besides using more common
> order of authentication and authorization steps.
>
> th.
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   



More information about the Freeradius-Users mailing list