Dell PowerConnect W Clearpass 100 Software 3.7 Deployment Guide - Page 101

 If the authentication is successful, the authorization code is evaluated. The user object returned from the external authentication server is available as the variable $user.  The PHP code should return one of the following values:  The ID of a user role (that is, an integer value) to assign that role to the external user.  NULL to indicate no role (that is, authentication only).  FALSE or a standard result type such as array('error' => 1, 'message' => 'description of failure') to indicate an authorization failure  Authorization of the user then continues using the specified role ID. The RADIUS server will return an Access-Reject message if the authorization fails.  The RADIUS server will return an Access-Accept message that includes the corresponding attributes from the user role if the authentication and authorization steps are both successful. Click the Save Changes button to complete the creation or modification of the external authentication server. You will be prompted to restart the RADIUS server after making configuration changes affecting external authentication. About Authorization Methods in External Authentication Servers The level of authorized access an authenticated user can have is controlled by the external authentication server's authorization method. There are two aspects to user authorization:  Is the user allowed? Yes/no decisions can be made in the context of authorization. Examples: user account not enabled; user account expired; user account exceeded a traffic quota within a certain time window.  What are the user's permitted limits? These are not yes/no decisions, but might involve a calculation based on previous usage (for example, via the accounting-based authorization functions), or based on properties of a user account (for example, maximum session lifetime is based on the expiration time for the account) Each server's authorization method can be configured. The authorization methods available vary according to the type of authentication server:  No authorization - Authenticate only may be used to provide a basic user authentication service. The RADIUS server will respond with an Access-Accept or Access-Reject for the authentication attempt. Only RADIUS attributes directly related to user authentication will be returned; all other attributes will be ignored.  Use role assigned to local user is the only authorization method available for the local user database. If the user's authentication attempt is successful, the RADIUS server will respond with an Access-Accept message that includes the RADIUS attributes defined for the user's role.  Use the common name of the client certificate to match a local user account may be specified for users authenticated via EAP-TLS on a client's local certificate server.  Use attributes from Proxy RADIUS server is an authorization method available only for Proxy RADIUS servers. The RADIUS attributes returned by the external RADIUS server are returned unmodified.  Assign a fixed user role may be used to assign all authenticated users to a particular user role. If the user's authentication attempt is successful, the RADIUS server will respond with an Access-Accept message that includes the RADIUS attributes defined for the fixed role that has been selected for this authentication server. Amigopod 3.7 | Deployment Guide RADIUS Services | 101