Dell PowerConnect W Clearpass 100 Software 3.7 Deployment Guide - Page 102

 Use PHP code to assign a user role (Advanced) may be selected to return a role ID for users authenticated via EAP-TLS on a client's local certificate server. The PHP authorization code is entered on the Edit Authentication Server form. The RADIUS Authentication diagnostic can be used to demonstrate the difference between the various authorization methods. To use the diagnostic, navigate to RADIUS Services > Server Control and click the Test RADIUS Authentication command link. Enter the username and password for a user that is externally authenticated. Click the Run button to perform RADIUS authentication and display the results:  With authorization method No authorization - Authenticate only: Sending Access-Request of id 165 to 127.0.0.1 port 1812 User-Name = "demouser" User-Password = "XXXXXXXX" rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=165, length=20 Note that in this case, no RADIUS attributes are returned. The Access-Accept or Access-Reject result indicates whether the user was successfully authenticated.  With authorization method Assign a fixed user role: Sending Access-Request of id 122 to 127.0.0.1 port 1812 User-Name = "demouser" User-Password = "XXXXXXXX" rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=122, length=27 Reply-Message = "Guest" Note that in this case, the RADIUS attribute returned (Reply-Message) corresponds to the user role selected.  With authorization method Use PHP code to assign a user role (Advanced) - more complex authorization rules can be implemented to specify which role to assign to an authenticated user. Authorization can use any of the available properties of the user account, as well as taking into account other factors such as the time of day, previous usage, and more. 102 | RADIUS Services Amigopod 3.7 | Deployment Guide