Plug-in Question

Tomas Hoger tomas.hoger at gmail.com
Fri Jul 6 12:47:14 CEST 2007


Hi Alan!

On 7/6/07, Alan DeKok <aland at deployingradius.com> wrote:
> > Isn't "authorize" better place for that?  Even name suggests
> > authorization should be done there... ;)
>
>   No.  "authorize" is run before authentication for historical reasons.

Yes I do understand authorize is run before authenticate and I do
understand why modules are called in authorize even if they don't do
anything related to authorization.

And as Arran pointed out, there are situations when applying policies
in feasible and is done in practice.


>   Policies should really be applied *after* a user authenticates, which
> means post-auth.

Yes, authenticate, authorize is the order most commonly used.  But I
think it may still be acceptable to apply policies before
authenticating user, e.g. if authentication if more "expensive"
(either in terms of time or CPU usage).  Few examples:

- authentication is done by remote radius - no need to proxy request
if we know / can tell in advance that request will be rejected anyway

- application of policy take less time then lookup of user in external
DB (SQL, LDAP) - however, proper ordering of modules in authorize must
be taken into account


Thanks for your feedback!

th.



More information about the Freeradius-Users mailing list