Authorization

Authorization refers to the process of determining what permissions are granted to the user. For example, the user may or may not be permitted certain kinds of network access or allowed to issue certain commands.

The NAS sends a "request" - a packet of information about the user - and the RADIUS server either grants or denies authorization based solely on information in the "request" sent by the NAS.In each case, the RADIUS server manages the authorization policy and the NAS enforces the policy.

The NAS "request" is really a set of statements. For example, the NAS may send the RADIUS server a "request" containing the following user information:

"the users name is Bob"
"they entered the password Hello"
"they are asking to use the ip address 192.0.2.34"

Once the server receives the request, it uses that information to figure out what properties the user should have. i.e., The user "bob" is saying that he wants to use the IP address 192.0.2.34, but does the database say that he is supposed to use another IP address?

The server then sends a reply to the NAS. The reply contains a series of statements about what properties the user should have:

"the users name is Bob"
"he should use the IP address 192.0.2.78"

Note that the radius server can’t request further information from the NAS. In contrast with SQL systems, RADIUS is limited in that it cannot make complicated queries. In SQL, queries such as "SELECT name from table where ipaddress = 192.02.34" are common. RADIUS does not have that capability. Instead, RADIUS only makes statements about what is, and what should be.

Upon receipt of a reply from the server, the NAS tries to enforce those properties on the user. If the NAS determines that the properties cannot be enforced, it is supposed to close the connection.