Service Provisioning Using AAA (FreeRadius)
Alan DeKok
aland at deployingradius.com
Wed Jun 5 15:34:28 CEST 2013
John Dennis wrote:
> You're both right, now shake hands and make up :-) The problem with the
> term authorization in radius is used in a non-standard way that leads to
> confusion. The normal use of the term authorization (authz) indicates
> what a principal is permitted to do and a principal must be validated
> via authentication (authn) first. In radius authorization means
> collecting information necessary to perform the authentication
> operation. It's an unfortunate semantic difference that leads to a fair
> amount of confusion (myself included), but after a while you get used to
> it.
It was a historical mistake in FreeRADIUS which has been kept for too
long.
After 3.0 is released, we'll transition to a naming scheme that's a
little more complex, but much clearer. The idea is that every packet
has 3 stages:
recv = receive the packet
process = process the packet
send = send the reply
We can map the existing authorize / authenticate / etc. to these
processing stages. That change will be initially confusing, but will be
simpler. It will also enable the server to do more protocols that are
in the works. :)
Alan DeKok.
More information about the Freeradius-Users
mailing list