Service Provisioning Using AAA (FreeRadius)

Alan DeKok aland at
Wed Jun 5 15:34:28 CEST 2013

John Dennis wrote:
> You're both right, now shake hands and make up :-) The problem with the
> term authorization in radius is used in a non-standard way that leads to
> confusion. The normal use of the term authorization (authz) indicates
> what a principal is permitted to do and a principal must be validated
> via authentication (authn) first. In radius authorization means
> collecting information necessary to perform the authentication
> operation. It's an unfortunate semantic difference that leads to a fair
> amount of confusion (myself included), but after a while you get used to
> it.

  It was a historical mistake in FreeRADIUS which has been kept for too

  After 3.0 is released, we'll transition to a naming scheme that's a
little more complex, but much clearer.  The idea is that every packet
has 3 stages:

	recv = receive the packet
	process = process the packet
	send = send the reply

  We can map the existing authorize / authenticate / etc. to these
processing stages.  That change will be initially confusing, but will be
 simpler.  It will also enable the server to do more protocols that are
in the works. :)

  Alan DeKok.

More information about the Freeradius-Users mailing list