Service-Type Authorize-Only

Alan DeKok aland at deployingradius.com
Fri Jun 1 09:01:35 CEST 2012


ajay shekhar wrote:
> Does setting Service-Type AVP to Authorize-Only in a RADIUS REQUEST make
> FreeRADIUS do only the authorization part?

  No.  You still need to set 'Auth-Type := Accept' in order to return an
Access-Accept.

> I do not know much about of how freeRADIUS works, but I am looking to
> get either of these scenarios working -
>  
> Case 1:
> authenticate a user (using EAP-SIM) with FreeRADIUS and then,
> initiate authorization (separately using Service-Type AVP set to
> Authorize-Only) for the same user with FreeRADIUS

  That will work, as described above.

> Case 2:
> Configure FreeRadius to Authenticate & Authorize the user in one go; in
> which case the output of radiusd -X clearly indicates that both Auth &
> Autz are done.
> If case 2 happens, how do I distinguish it from an Authentication-Only
> scenario?

  Because the Access-Request contains an EAP-Message.  In the first case
(Authorize-Only), it will *not* contain an EAP-Message.

  As with most things RADIUS, there's no magic.  Just look at the
packets.  They're clearly different.

  Alan DeKok.


More information about the Freeradius-Users mailing list