pre-authorization / post-authorization
These optional clauses run immediately before and after the main authorization block for lightweight enrichment or final auditing.
handler "EXAMPLE" {
authentication {
backend "USERS";
pap;
}
pre-authorization {
# Early enrichment / early deny
# backend "LDAP_DIRECTORY";
# if all { user.group == "banned"; } then { reject; }
}
authorization {
# Core authorization policy:
# set response.session-timeout = 3600;
accept;
}
post-authorization {
# Final audit / reply tweaks
# debug "Authorized %{aaa.identity} timeout=%{response.session-timeout}";
}
}
Examples
Early deny
Reject untrusted or disabled users before expensive authorization logic:
pre-authorization {
if all {
user.disabled == true;
} then {
reject;
}
}
Attribute enrichment
Populate attributes needed for policy decisions:
pre-authorization {
backend "USER_PROFILE_SQL";
# Mappings from backend populate user.role, user.department, etc.
}
Dynamic role normalization
pre-authorization {
map user.raw_role {
"NETOPS_L3" => {
set user.role = "network-admin";
}
"GUEST" => {
set user.role = "guest";
}
"default" => {
set user.role = "user";
}
}
}
Audit trail
post-authorization {
if all {
auth.result == true;
} then {
debug "Authorized %{aaa.identity} role=%{user.role}";
} else {
debug "Authorization denied %{aaa.identity}";
}
}
Response decoration
post-authorization {
if all {
user.role == "network-admin";
} then {
set response.reply-message = "Privileged access granted";
}
}
Navigation