Hello there, I'm trying to deploy a FreeRadius server with OpenLDAP. To this end, both are working properly and communicate with each other successfully. I have LDAP groups set up so users belong to a group and I can check from freeradius' users file if a user belongs to a group (and, for example, deny access to all users belonging to a certain group). I must say that, if I enable group checking in users file, I can see rlm_ldap debug info about it searching for group information; but if it's not enabled it doesn't search for groups. The issue here is that the server will be used to authenticate wifi users from a Ruckus ZoneDirector device, which defines roles and assigns roles to the users depending on the groups that the users belong to. This works flawlessly when authenticating against LDAP itself, but if freeradius stands in the middle the group info gets lost somewhere. I know that freeradius can access Ldap-Group variable and know which group the user belongs to, but I'd like it to forward that info to the ZoneDirector (who is actually performing the authentication request against freeradius), so that it can assign the role properly. The LDAP database is set up with two OUs, users and groups, and users being of objectClass inetOrgPerson and groups being groupOfNames. In freeradius, ldap config is mostly default except for server, identity, etc, but with these group-related parameters: groupname_attribute = cn groupmembership_filter = (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) groupmembership_attribute = member # (also tried with memberOf, radiusGroup, radiusGroupName and several others) And, about the server, it is running Debian 7.5, OpenLDAP 2.4.31 and freeradius 2.1.12 (default packages from debian). I can provide any other info that you need :) Thanks everyone in advance!