Authorization

Authorization is the process of determining what an authenticated user is permitted to do. The user may be permitted certain kinds of network access, or may be denied access altogether. In every case, the authorization policy is implemented on the RADIUS server, and enforced by the NAS.

The authorization process combines not only the policy on the RADIUS server, but the information in the request from the NAS. A user may request certain kinds of access, such as a particular IP address. The NAS may add additional information to the request, such as the users MAC address. This information is sent to the RADIUS server, and used by it to make its authorization decisions.

When the servers response is sent to the NAS, it contains information instructing the NAS as to which behaviors permitted for the user, and which are forbidden. The NAS monitors the users behavior, and dynamically permits or denies activities as defined by the policy. Note that during the rest of the users network session, the policy is essentially static. That is, the NAS does not query the server for additional policy, and there is no way in RADIUS for the user to request dynamic policy changes.

While the users network session is ongoing, the NAS will often send the server a "summary of accounts" for that user, as discussed in the accounting page.