Let me explain what we are trying to do, we have Cisco anyconnect VPN and we are using onelogin RADIUS (https://www.onelogin.com/) for OTP, we have our own OpenLDAP server and onelogin sync our directory service and provide Auth with OTP solution. Recently we decided to create multiple Group Policy for VPN and every group will have own permission to access application, like Sales, Finance and contractor etc, In short contractor can't access Finance related application etc. After reading found ASA support RADIUS attribute Class 25 where i can create OU=sales and implement policy base on whatever LDAP memberOf list users. But unfortunately onelogin doesn't support that kind of attributes mapping and now we stuck here so only solution is to deploy on radius server and integrate with google authenticator. So i have question is there anyway i can use FreeRadius locally and use attributes Class 25 and then proxy authentication to onlelogin RADIUS? What should i do and what you guys suggest here?