How to return the group membership of a user in a RADIUS attribute

For the purpose of VPN access control, it is a common requirement that the VPN server asks the RADIUS server to return a user's group membership in a RADIUS attribute.

This guide describes how to return the list of groups the user belongs to in a RADIUS attribute.

Create a RADIUS attribute

Navigate to "Radius \ Radiusd Attributes"

Click "CREATE"

Select the "Vendor", e.g. "IETF"

Select the attribute name, e.g. "Filter ID"

The the "Value" box, select the "Script" option

In the "Script" box, enter "groups?.name"

Enable the option "Return as multiple attribute"

Click "Save"

Apply the RADIUS attribute to the RADIUS client

Navigate to "Radius \ Radius Clients"

Select the Radius client, e.g. "NTRadPing"

In the context menu select "Radius Attribute"

select the Radius attribute, e.g. "Filter-id"

Click "Save"

Test the group attribute

We use a test user account that belongs to 4 groups in AD

We use a RADIUS test tool, NTRadPing, to test the group attribute

Page tree

How to return the group membership of a user in a RADIUS attribute

Create a RADIUS attribute

Apply the RADIUS attribute to the RADIUS client

Test the group attribute