A Real World Analogy

The following analogy illustrates the difference between Authentication and Authorization.

Imagine you are driving a car and you are stopped by a police officer. The officer asks you to provide a piece of identification to identify yourself. You could, for example, use your passport, driver’s license, or ID card to prove (i.e. authenticate) who you are. In terms of the RADIUS protocol, the authentication process identifies the user as someone who is known to the system. However, the fact that a user is known does not automatically mean that the user has authorization to do anything at all.

In the example above, the police officer may also ask you to prove that you are authorized to drive. In this case, there is only one document - a driver’s license, which proves that you are permitted (i.e. authorized) to drive a car.

The authorization process thus combines the policy on the RADIUS server and the information in the request from the NAS. The NAS may add additional information to the request, such as the user’s Media Access Control (MAC) address. The NAS sends the information to the server, where an authorization decision is made.

Once the server processes this information, it sends a response to the NAS with instructions detailing which actions are allowed or denied. The NAS then monitors the user’s behavior and allows or denies activities according to the policy definition sent by the server.

During the user’s network session the policies are essentially static. In some cases, the server may change policies, and inform the NAS. There is no way for the user to request policy changes in RADIUS. The user must instead disconnect, and reconnect.