RADIUS Authorization

This article gives an explanation of the RADIUS-specific authorization performed by ClearBox Server on reception of RADIUS authentication request packet. Note that authorization is not a part of RADIUS protocol and used by ClearBox Server as a part of authentication packet processing. Read more about authorization concepts, RADIUS concepts and RADIUS attributes properties used in authorization process.

RADIUS authorization is not used if IRADIUSAuthorization interface is not implemented by server extension.

First, Service-Type RADIUS attribute is checked. If it is present and has "Authenticate Only" value, authorization process is skipped.

Next, IRADIUSAuthorization::GetAutorejectAttributes is called to get "AutoReject List" of attributes. If any of these attributes are present in the packet, it is rejected. Note, that attribute comparison is performed according to flags which any attribute in AutoReject List may have.

If AutoReject List is passed, server calls IRADIUSAuthorization::GetRequestMatchAttributes to get list of "RequestMatch attributes", or "RequestMatch list". For every attribute in RequestMatch list server searches for an attribute with the same type in the packet. If it is not found,

• Next attribute is taken from RequestMatch list if an attribute from RequestMatch list has F_DEFAULT flag set.
• User is rejected if F_DEFAULT flag is not set.

If an attribute from the packet is found with the same type as an attribute from RequestMatch list

• Next RequestMatch list attribute is taken if an attribute from RequestMatch list has F_NOVALUE flag or attributes have the same values.
• User is rejected otherwise.

If RequestMatch list is passed, server gets list of attributes which should be included in response packet ("Response list"), calling IRADIUSAuthorization::GetResponseAttributes. But before this call server calls IRADIUSAuthorization::NeedAllAttributes to detect whether full list of attributes from request packet should be passed to IRADIUSAuthorization::GetResponseAttributes or no attributes should be passed. Server may reject user after calling to IRADIUSAuthorization::GetResponseAttributes. For every attribute from Response list F_ECHO flag is checked. If this flag is present,

• An attribute with the same type is searched in request packet. If it is found, its value is used in response packet instead of value of the attribute from the Response list.
• An attribute with the same type is searched in RequestMatch list with F_DEFAULT flag set. If it is found, value of the RequestMatch list attribute is used in response packet instead of value of the attribute from the Response list.
• Attribute from Response list is not included in response packet otherwise.