We use the term authentication to describe the process of matching the credentials supplied by the user (e.g. name, password) to those configured on the AAA server (e.g. name, "known good" password). If the credentials match, the user is said to be authenticated. If the credentials do not match, the user is not authenticated.

The previous description is, of course, too simple to be completely true. The administrator may still choose to deny network access to authenticated users, for example if their account has been suspended. The administrator may also choose to permit limited network access to unknown users, such as to permit them into a "quarantine zone", where they can purchase additional network connectivity.

The definition of authentication gets even more complicated when the user is attempting to authenticate via credentials that are inappropriate, if correct. For example, a user may login remotely using a clear-text password, when the site policy says that they may use passwords only for local access, and must use token cards for remote access. The user is still "authentic" if their supplied password is correct, but they are denied access based on site policy.

For this reason, and other historical ones, the FreeRADIUS "authorization" stage is performed before "authentication". The terminology used in FreeRADIUS is inconsistent with the wider use of "authorization", which is normally defined to occur after authentication. The FreeRADIUS configuration files call this stage "post-auth". This mis-naming will be fixed in a future release.

Once the user is authenticated, then the local policy is applied to determine the users authorization status.