AAA

Authorization is the process of finding and returning information about what the user is allowed to do. For example, finding out what kind of authentication methods they are allowed to run, and what VLAN the user should be placed into.

Authorization modules generally "get data" from somewhere, e.g. ldap, sql, files, etc.

The authentication method is usually determined when the server gets the users credentials from a database. Once the credentials are available, the server can authenticate the user.

Authentication is simply a process of comparing user’s credentials in request with the "known good" credentials retrieved from a database. Authentication usually deals with password encryption. The modules pap, chap, mschap, etc. do authentication.

Some modules do both authentication and limited authorization. For example, the mschap module authenticates MS-CHAP credentials, but it may also be used as an authorization module, which verifies that request contains MS-CHAP related attribute. If so, the module instructs the server to use mschap for authentication, too

These dual modules are usually related to protocol-specific attributes, such as the pap module for the User-Password attribute, chap for CHAP-Password, mschap for MS-CHAP-*, etc.

When the server processes requests, it manages four attribute lists:

All of these lists are available to all modules. All of these lists are available in Unlang

Accounting refers to the recording of resources a user consumes during the time they are on the network. The information gathered can include the amount of system time used, the amount of data sent, or the quantity of data received by the user during a session.

During a network session, the NAS periodically sends an accounting of user activity to the server. This accounting is a summary, and the collected data is used for billing purposes. ISPs are a large consumer of accounting data, because each user is billed for every minute of network access. However, corporations have not, historically, relied on network accounting information gathered by RADIUS because employees were not traditionally billed for network access. As their need for ongoing network monitoring increases, though, so does the need to store and process accounting information. The accounting summary sent by the NAS to the server does not include detailed information such as web sites visited or even how many bytes were transferred using a particular protocol (SMTP, HTTP, and so forth). That type of detailed information is only available to the NAS, and it does not send that data to the server.

If detailed information about user activity is required, network administrators can obtain it through other protocols such as sFlow or NetFlow. Network administrators may find it difficult to tie the pieces together to get a more comprehensive understanding of user activity.