My understanding is that, when a Linux server delegates authentication chores (via PAM) to a RADIUS server, the information having to do with the groups that the authenticated user belongs to is retrieved either locally - from the relevant entry in /etc/passwd - or from a remote server via NSS - for example, from an LDAP server. Is there anything preventing one from getting the group information from the RADIUS server itself? The RADIUS server could be configured so that, when a user has been successfully authenticated by said server, this server would send back the authentication OK RADIUS message together with one or more attributes containing the groups information. The reason I am asking this is because I have interacted with some devices in the past that were able to get these data from a RADIUS server alone. However, I don't know if this was achieved with the concourse of a mechanism similar to what I described, or something totally different.