Authorization

Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level. In other words, it is the process of establishing what a user can do. After the user is connected and authenticated (NAS may be configured to use authorization without authentication), for each command typed or resource requested, the NAS sends an authorization request to the server. The NAS can propose a configuration to be applied to the user as a list of attributes. Relying on the information of the authorization request, the server will answer granting or denying the authorization. If the authorization is actually granted, the server can tell the NAS to apply a new series of attributes to the user. For example the server can communicate to the NAS to discard the proposed IP address using on the other hand the address proposed by the server itself, and apply a certain timeout value for the connection...

RADIUS Authorization

RADIUS protocol does not separate authorization from authentication and uses one authentication request-response transaction for this purposes. Although ClearBox Server distinguishes these processes logically and allows to implement authorization as an independent part of packet processing.

In RADIUS protocol when an authentication request occurs, the NAS sends at the same time a set of parameters (the attribute/values pairs) describing the user login type and requested services. The RADIUS server may analyze these attributes and decide whether to authorize the user or not. In the former case the server can include in its reply another attribute set to be applied to the user who is logging in (for example a static IP address, the address of the DNS servers, etc.). Finally the NAS may decide if this set is suitable to that user and then continue or abort the session.

ClearBox Server divides RADIUS authorization process into three parts which that can be implemented independently.

AutoReject Lists

This feature allows to automatically reject authentication requests that contain a certain attribute. If any attribute from the AutoReject list (provided by server extension for every access request) is present in the packet, then Access-Reject response is sent to the client. For example, Calling-Station-ID can be used to block users who dials in from a particular phone number.

RequestMatch Lists

The RequestMatch list is a list of attributes that must accompany the request for connection. The NAS must send attributes that accord the RequestMatch list assigned to a user; otherwise, ClearBox Server will reject the user even if he has been authenticated.

By including appropriate attributes in the RequestMatch list, a variety of rules could be enforced. Only certain users might be permitted to use ISDN connections, or dial in to a particular NAS. Or, Caller ID could be used to validate a user against a list of legal originating phone numbers.

Response Lists

The Response list is a list of attributes that ClearBox Server must return to the NAS once authorization succeeds. The Response list usually provides additional parameters that the NAS needs to complete the connection, typically as part of PPP negotiations.
By including appropriate attributes in the Response list, a variety of connection policies could be applied. Specific users could be assigned particular IP addresses or IPX network numbers, IP header compression could be turned on or off, or a time limit could be assigned to the connection.

Read more about RADIUS attributes and their properties.

See how ClearBox Server processes RADIUS authorization.

TACACS+ Authorization

In TACACS+ protocol, every attribute proposed by the NAS in the authorization request can be optional or mandatory. If the attribute is optional, the server can propose an alternative attribute. If it is mandatory, the server cannot modify such attribute. If the server thinks that such attribute is not valid, it can only answer with a denied authorization reply.
Also the attributes added by the server in the granted authorization reply can be mandatory or optional. If they are optional, the NAS can independently choose whether to apply the attributes to the user or not. If they are mandatory, the NAS must use such attributes. If for any reason the NAS cannot respect the required attributes, it must deny the authorization even if the reply of the server was positive.

Authorization requests can occur for three different kinds of services:

• Authorization to the shell (Exec)
• Authorization to commands
• Authorization to network services

Authorization to the shell (Exec)
The authorization to the shell (Exec) in TACACS+ protocol establishes whether a user is granted the usage of a command shell on the NAS and the conditions and filters to be applied to him.
The authorization request for the shell occurs when a user connects to the NAS with a terminal emulator and requests a command prompt. This shell may not be requested in other situations, for example when the user connects to the NAS in PPP mode, using PAP or CHAP authentication.

Authorization to commands
The authorization request for the commands is forwarded by the NAS to authorize the user to carry out specific commands.
With ClearBox Server it is possible to set a list of commands allowed or denied and to specify the denial of some commands also on the basis of their parameters. It is possible for example to allow the use of the telnet command only when the parameters refer to the specific hosts.

Authorization to network services
The authorization to network services in TACACS+ protocol establishes whether the user is allowed to connect to the NAS through a special protocol and the condition and the filters to be applied to the user.
The authorization request for the network services takes place when a user connects to the NAS in PPP mode, for example, using the PAP or CHAP authentication.

List of Attribute-Value pairs
The authorization to the shell (Exec) and to network services allows the specification of the filters to apply to the user. The parameters applied to the user are specified through the negotiation of the attribute/value pairs between the NAS and ClearBox Server.
An A/V pair takes the following form:

attribute=value
or
attribute*value

where the equal "=" sign means that the attribute is mandatory and must be applied to the user (otherwise the authorization would fail), while the asterisk "*" sign represents an optional attribute that can be applied or not by the NAS.
The list of AV pairs supported by the NAS strictly depends on the brand and model of the NAS as well as on the version of its operating system.

See list of AV pairs supported by the Cisco NAS (with IOS operating system).

See how ClearBox Server processes TACACS+ authorization packets.