Why Authorization before Authentication?

Iliya Peregoudov iperegudov at cboss.ru
Thu Nov 24 09:25:46 CET 2011

In general there are three steps in processing of Access-Request:

- identify
- authenticate
- authorize

First you need to identify subscriber. In general you should consult 
subscriber database (backend). To minimize number of round-trips with 
subscriber database it will be better to return whole subscriber profile 
to AAA server. AAA server then can consider to proceed with 
authentication, grant access without authentication, deny access without 
authentication, or just pass the matter to proxy. This is what authorize 
section exactly does. Subscriber profile retrieved on this step is 
stored ad-hoc, usually in control and reply lists of the request.

To authenticate subscriber you need to check credentials it provides. 
This is what authenticate section does. Most of authentication modules 
use Cleartext-Password attribute from control list to check credentials 

To authorize subscriber you should make a decision based on both 
subscriber profile and authentication result. This is what post-auth 
section does. Put your authorization policies in this section.

Edgar Fuß wrote:
> A probably simple question I could not find explained in the FAQ or the Concepts section:
> Given that Authentication is proving who I am and Authorization is checking what I'm allowed to do, I naively would have expected a RADIUS server to first authenticate me an then check my authorization.
> Surely for a reason, what FreeRADIUS does is the other way round: first try all authorization modules and then use one authentication module.
> I hope I got this right.
> I would like to be pointed to a document explaining the rationale behind this. It's probably obvious to anyone familiar with the matter, but that doesn't include me.
> Thanks.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6269 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111124/8a13a1b6/attachment.bin>

More information about the Freeradius-Users mailing list