Linux groups information from RADIUS server

Alan DeKok aland at
Mon Apr 22 23:20:46 CEST 2019

On Apr 22, 2019, at 5:10 PM, JCA <1.41421 at> wrote:
> My understanding is that, when a Linux server delegates authentication
> chores (via PAM) to a RADIUS server, the information having to do with the
> groups that the authenticated user belongs to is retrieved either locally -
> from the relevant entry in /etc/passwd - or from a remote server via NSS -
> for example, from an LDAP server.

  Yes.  PAM does authentication.  NSS does everything else.

> Is there anything preventing one from getting the group information from
> the RADIUS server itself?

  There is no NSS radius module, and there is no standard way to get UID / GID / etc. data via RADIUS.

> The RADIUS server could be configured so that,
> when a user has been successfully authenticated by said server, this server
> would send back the authentication OK RADIUS message together with one or
> more attributes containing the groups information.
> The reason I am asking this is because I have interacted with some devices
> in the past that were able to get these data from a RADIUS server alone.
> However, I don't know if this was achieved with the concourse of a
> mechanism similar to what I described, or something totally different.

  Nothing implements this.

  Nothing *prevents* it from being implemented, but nothing implements it.

  Alan DeKok.

More information about the Freeradius-Users mailing list