For the purpose of VPN access control, it is a common requirement that the RADIUS server return some specific attributes in an Access-Accept request.
The example below demonstrate how to return the user's group names in the RADIUS attribute: Filter-Id
First, create a RADIUS attribute (RADIUS > Radius Attribute > Create)
In the field "Maps To:", enter groups?.name.join(','). Also, check the box "Return Response".
To assign the Radius attribute to a user, navigate to the user's account, select "Radius Settings\Radius Attribute" from the context menu
To assign the Radius attribute to a group, navigate to the group, select "Radius Settings\Radius Attribute" from the context menu
The, select the Radius attribute, i.e. Filter-Id
Here we use NTRadPing as a radius client to do the test
As you can see the attribute in response Filter-Id=3. You can double confirm it with WireShark.
If you change the mapping as groups?.name.join(','), then the result will be Filter-Id=aaa.
What if this user belongs to two groups, for instance aaa and ccc? The result will be Filter-Id=aaa,ccc.
Furthermore, if you want to return only one group name, e.g 'aaa', then you must assign the attribute on the group 'aaa' and map the attribute to:
nestedGroups?.find{it.radiusAttributes.any{ att-> att.name=='Filter-Id'}}.name
Related Articles