On Jan 26, 2010, at 9:19 AM, Avi Lior wrote:
"provisioning a service" is authorization no?
Correct.
I authenticate you then authorize you for a service by sending you authorization attribute that define what service or services you will receive.
Yes.
I dont see a difference ... so i cant agree with:After all, RADIUS is not about answering authorization questions from NASes, it's about identifying users and *telling* them what service they get, basedon their identity, and contextual hints from the NAS.identifying users is authentication and telling them what service they get is authorization. Am I missing something?Anyway it may not be important that the language we are using is aligned.
It is a semantics issue. The RADIUS model is to provision services (authorize access) based on authenticated identity, contextual hints from the NAS and server-based policy. The NAS cannot ask questions of the form "Would you allow this user to access that service?" The NAS can ask questions of the form "I have this user, who has made a connection attempt via that port / protocol, what access should I provision to the user?"
-- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>