Why Authorization before Authentication?

[Arran Cudbard-Bell]

On 23 Nov 2011, at 13:34, Edgar Fuß wrote:

> A probably simple question I could not find explained in the FAQ or the Concepts section:
> 
> Given that Authentication is proving who I am and Authorization is checking what I'm allowed to do, I naively would have expected a RADIUS server to first authenticate me an then check my authorization.
> Surely for a reason, what FreeRADIUS does is the other way round: first try all authorization modules and then use one authentication module.
> I hope I got this right.
> I would like to be pointed to a document explaining the rationale behind this. It's probably obvious to anyone familiar with the matter, but that doesn't include me.
> 

It's complicated and imperfect. The users credentials are retrieved in authorize, so it's necessary to run the authorize section before the authentication section, but this could also be done with a pre-authenticate section...

With some EAP modules, you really need to decide what you're going to do before you start authentication. You need to know that you're going to reject the user so you can communicate that to the supplicant in the right way at the right point in the authentication process.

My recommendation to anybody who asks this question (it comes up from time to time), is to think of authorisation being separate from generating the reply.

So you decide whether the user is authorised, you complete authentication, then you formulate the actual response in post-auth ( use section overrides <module>.<section> to run the right logic).

The section names are just names after all, and although yes, there is module logic associated with each section, it's easy to override. If you're unhappy with the way the default configuration works, it's easy to change it...

-Arran 

Arran Cudbard-Bell
a.cudbardb at freeradius.org

Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !