Authorization, in essence, is about restrictions. Based on certain checks a user may be restricted. Restrictions can be applied in one of two places:
- At the RADIUS server
- At the NAS
Restrictions are determined during the authentication process when an Access-Request packet is sent to the RADIUS server.
Accounting-Request packets do not and cannot determine restrictions.
When a restriction is applied at the RADIUS server, the server returns an Access-Reject packet, which should include a Reply-Message AVP specifying the reason for rejection.
When a restriction is applied at the NAS, the RADIUS server returns an Access-Accept packet that includes AVPs that should be applied by the NAS. This means that you have to ensure that the NAS receives the correct AVPs to implement the restriction and that it also supports these AVPs in the first place.
