Authorization

Authorization is the process of finding and returning information about what the user is allowed to do. For example, finding out what kind of authentication methods they are allowed to run, and what VLAN the user should assigned to.

Authorization modules generally "get data" from somewhere, e.g., ldap, sql, files.

The authentication method is usually determined when the server gets the users credentials from a database. Once the credentials are available, the server can authenticate the user.

Authorization refers to the process of determining what permissions are granted to the user. For example, the user may or may not be permitted certain kinds of network access or allowed to issue certain commands.

The NAS sends a “request” - a packet of information about the user - and the RADIUS server either grants or denies authorization based solely on information in the “request” sent by the NAS. In each case, the RADIUS server manages the authorization policy and the NAS enforces the policy.

The NAS “request” is really a set of statements. For example, the NAS may send the RADIUS server a “request” containing the following user information:

“user name is Bob”
“password is Hello”
“ip address is 192.02.34”

Once the RADIUS server receives the request, it uses that information to figure out what properties the user should have (i.e., “Bob” is saying he/she has IP address 192.0.2.34, do the server records contradict this statement?). The RADIUS server then sends a reply to the NAS. The reply contains a series of statements about what properties the user should have:

"user name is Bob"
"ip address is 192.0.2.78"

Upon receipt of a reply from the RADIUS server, the NAS tries to enforce those properties on the user. If the properties cannot be enforced, the NAS closes the connection.