AAA

Authorization is the process of finding and returning information about what the user is allowed to do. For example, finding out what kind of authentication methods they are allowed to run, and what VLAN the user should be placed into.

Authorization modules generally "get data" from somewhere, e.g. ldap, sql, files, etc.

The authentication method is usually determined when the server gets the users credentials from a database. Once the credentials are available, the server can authenticate the user.

Authentication is simply a process of comparing user’s credentials in request with the "known good" credentials retrieved from a database. Authentication usually deals with password encryption. The modules pap, chap, mschap, etc. do authentication.

Some modules do both authentication and limited authorization. For example, the mschap module authenticates MS-CHAP credentials, but it may also be used as an authorization module, which verifies that request contains MS-CHAP related attribute. If so, the module instructs the server to use mschap for authentication, too

These dual modules are usually related to protocol-specific attributes, such as the pap module for the User-Password attribute, chap for CHAP-Password, mschap for MS-CHAP-*, etc.

When the server processes requests, it manages four attribute lists:

All of these lists are available to all modules. All of these lists are available in Unlang