Plug-in Question
Alan DeKok
aland at deployingradius.com
Fri Jul 6 13:57:21 CEST 2007
Tomas Hoger wrote:
> Yes, authenticate, authorize is the order most commonly used. But I
> think it may still be acceptable to apply policies before
> authenticating user, e.g. if authentication if more "expensive"
> (either in terms of time or CPU usage). Few examples:
Yes. I've had that discussion before (off-list) with people who are
surprised that FreeRADIUS permits policies to be run before users are
authenticated.
e.g. Users on NAS X aren't supposed to do EAP. So if they try, reject
them immediately. This also mitigates certain kinds of DoS attacks.
Alan DeKok.
More information about the Freeradius-Users
mailing list