Authorization

Authorization is the process of establishing what a user can do, i.e. of granting or denying a user access to network resources once the user has been authenticated. RADIUS protocol does not separate authorization from authentication and uses one authentication request-response transaction for these purposes, but ClearBox Server distinguishes these processes logically and allows implementing authorization as an independent part of packet processing.

In RADIUS protocol when an authentication request occurs, the NAS sends at the same time a set of parameters (the attribute/values pairs) describing the user login type and requested services. The RADIUS server may analyze these attributes and decide whether to authorize the user or not. In the former case the server can include in its reply another attribute set to be applied to the user who is logging in (for example a static IP address, the address of the DNS servers, etc.). Finally, the NAS may decide if this set is suitable to that user and then continue or abort the session.

ClearBox Server divides RADIUS authorization process into three independent parts.

Reject Lists

This feature allows automatically rejecting authentication requests that contain a certain attribute. If any attribute from the Reject list is present in the packet, then Access-Reject response is sent back to the client. For example, Calling-Station-ID can be used to block users who dial in from a particular phone number.

Check Lists

The Check list is a list of attributes that must accompany the request for connection. The NAS must send attributes that accord the Check list assigned to a user; otherwise, ClearBox Server will reject the user even if he has been authenticated.

By including appropriate attributes in the Check list, a variety of rules could be enforced. Only certain users might be permitted to use ISDN connections, or dial in to a particular NAS. Or, Caller ID could be used to validate a user against a list of legal originating phone numbers.

Response Lists

The Response list is a list of attributes that ClearBox Server must return to the NAS once authorization succeeds. The Response list usually provides additional parameters that the NAS needs to complete the connection, typically as part of PPP negotiations.
By including appropriate attributes in the Response list, a variety of connection policies could be applied. Specific users could be assigned particular IP addresses or IPX network numbers, IP header compression could be turned on or off, or a time limit could be assigned to the connection.

Read more about RADIUS attributes and their properties.

See how to set authorization settings with ClearBox.