Group Authorization Question

Mike Diggins mike.diggins at McMaster.CA
Thu Jan 1 18:12:55 CET 2009

On Wed, 31 Dec 2008, tnt at wrote:

> Post the debug of the request. Is that profile appearing in some request
> attribute?

I made a little progress since my last email. I discovered how to return a 
group name in the Reply-Message attribute, and then parse that on my 
appliance. I'm wondering though, if I have users with multiple group 
membership, should I create a string of group names such as 
"group1,group2, group3" for each user, and return that as the 
Reply-Message? Is that a sensible way to do it, or is there a better way?


> Dana 31/12/2008, "Mike Diggins" <mike.diggins at> pi¹e:
>> I have authentication working from my cisco ASA550 VPN appliance to a
>> FreeRadius 2.1.1 server, using NTLM_AUTH for backend authentication. That
>> all works. Now I need to add authorization into the mix.
>> 	1. On the Radius server, I want to add a group X with a list of
>> 	   authorized usernames.
>> 	2. On the VPN side, the user selects a profile, and logs in, but I
>> 	   only want members of group X to be able to connect to that
>> 	   profile, even if the authentication is correct.
>> I have no idea how to make the connection between the group profile I
>> select on the VPN side, with the group X on the radius side. I'm not even
>> sure how (or where) to create such a group with freeRadius. Can anyone
>> point me in the right direction?
>> -Mike
>> -

More information about the Freeradius-Users mailing list