Authorization is the process of establishing what a user can do,
i.e. of granting or denying a user access to network resources once
the user has been authenticated. RADIUS protocol does not separate
authorization from authentication and uses one authentication
request-response transaction for these purposes, but ClearBox
Server distinguishes these processes logically and allows
implementing authorization as an independent part of packet
In RADIUS protocol when an authentication request occurs, the
NAS sends at the same time a set of parameters (the
attribute/values pairs) describing the user login type and
requested services. The RADIUS server may analyze these attributes
and decide whether to authorize the user or not. In the former case
the server can include in its reply another attribute set to be
applied to the user who is logging in (for example a static IP
address, the address of the DNS servers, etc.). Finally, the NAS
may decide if this set is suitable to that user and then continue
or abort the session.
ClearBox Server divides RADIUS authorization process into three
This feature allows automatically rejecting authentication
requests that contain a certain attribute. If any attribute from
the Reject list is present in the packet, then Access-Reject
response is sent back to the client. For example,
Calling-Station-ID can be used to block users who dial in from a
particular phone number.
The Check list is a list of attributes that must accompany the
request for connection. The NAS must send attributes that accord
the Check list assigned to a user; otherwise, ClearBox Server will
reject the user even if he has been authenticated.
By including appropriate attributes in the Check list, a variety
of rules could be enforced. Only certain users might be permitted
to use ISDN connections, or dial in to a particular NAS. Or, Caller
ID could be used to validate a user against a list of legal
originating phone numbers.
The Response list is a list of attributes that ClearBox Server
must return to the NAS once authorization succeeds. The Response
list usually provides additional parameters that the NAS needs to
complete the connection, typically as part of PPP negotiations.
By including appropriate attributes in the Response list, a variety
of connection policies could be applied. Specific users could be
assigned particular IP addresses or IPX network numbers, IP header
compression could be turned on or off, or a time limit could be
assigned to the connection.
Read more about RADIUS attributes
and their properties.
See how to set authorization settings
© 2001-2007 XPerience Technologies. www.xperiencetech.com