returning user and primary group (or any other ldap attribute) with radius response

Alan DeKok aland at
Wed Aug 10 11:18:02 CEST 2016

On Aug 10, 2016, at 10:51 AM, Thomas Schweikle <tschweikle at> wrote:
> Hmmmmmmmm???

  Please give useful comments.  Things like this don't help.

> 2016-08-10 10:18 GMT+02:00 Alan DeKok <aland at>:
>> On Aug 10, 2016, at 10:14 AM, Thomas Schweikle <tschweikle at> wrote:
>>> After searching for long with google, or in the manuals, i was not
>>> able to find any cookbook recipe to advice freeradius to respond with
>>> username and primary group for an authenticated user.
> The username and primary group or any other ldap provided attribute
> for the given user.

  The primary group is an *LDAP* attribute.  It doesn't go into a RADIUS packet.

>>  Probably because you can't normally do group assignments via RADIUS.
> I do not mean group assignments via radius (I did not state this). I
> mean returning the primary group or any other ldap attribute together
> with Access-Accept.

  LDAP groups don't go into Access-Accept.

>>> The access-point needs this to sort out users into guest or internal
>>> networks. So how can I set up freeradius to return username and
>>> primary group (or any other ldap attribute) with the OK-response?
>>  Your access point documentation should say which attributes it needs in the Access-Accept.
> These are vague.

  What's vague?  My answer, or the access point documentation?

  This isn't difficult.  If your access point needs an attribute in an Access-Accept, the documentation should say what attribute is needed in Access-Accept.

  And in general, group membership is NOT sent via RADIUS.  As I've said.

  Please explain WHAT access point you're using, and WHY you believe you should be sending group information in the Access-Accept.

> At least the users username is quested. A group the
> user belongs to would be nice too. And maybe further informations ...

  It would be nice to get questions with content.

>>  Then... configure FreeRADIUS to send those attributes.
> And ... how is this done?????

  If only the server had documentation or examples on how to update / edit packets.  Or how to add attributes to packets.

> Any hints? -- I was searching around for some days now and could not
> find anything working. A lot of information, but nothing changing the
> servers response. Any recipe what to do to make the server add
> something like the username as a point to start with and experiment on
> how the routers and access-points want these informations.

  See "man unlang", or the dozens of examples in the raddb/virtual-server/ directory.

  it doesn't take searching for days.  It takes maybe 10 minutes to read the existing documentation and examples

>>  Since you're not saying what the access point actually needs, any answer is necessarily vague.
>>  Provide better information, and you'll get a better answer.
> ???
> I thought I was clear:

  You weren't clear.

  You're not clear on how RADIUS works.  Or how FreeRADIUS works.  As a result, your question is based on incorrect assumptions.

  So I have no real idea what you're trying to do, or why you're trying to do it.

> what do I have to do to make freeradius add at
> least a username to Access-Accept.

   See the docs:

	update reply {
		User-Name := request:User-Name

> What do I have to do to make freeradius add the users primary group to
> Access-Accept.

  You don't.  As I've said.  Groups don't go into RADIUS packets.

  And, as I've said, if the access point needs group information, then the **ACCESS POINT DOCUMENTATION** will say what attributes it needs.

  Then, using the FreeRADIUS documentation and examples... configure the server to send those attributes.

  You can't just say "I want the groups to magically go into an Access-Accept".  RADIUS packets contain attributes.  Attributes have names.  So.. what's the name of the attribute you need to use?

  And don't respond with "I need to put LDAP groups into a RADIUS packet".

> What do I have to do to add what ever group the user is in to Access-Accept.
> And maybe on what do I have to do to make freeradius add whatever ldap
> attribute from the users attributes to Access-Accept.

  What **RADIUS ATTRIBUTE** does that information go into?

  You're pretty clear that you want to do something.  But you don't even know the basic terminology behind RADIUS.  That's OK, because everyone started from somewhere.

  What's *not* OK is that you reply to my questions with more of the same "I need to put LDAP groups into a RADIUS packet"

  No, it doesn't work like that.  Please educate yourself, and understand that I'm not being difficult.  I'm trying to get you to explain WHAT you're doing, and WHY,  Without that information, it's impossible for anyone to help you.

  Alan DeKok.

More information about the Freeradius-Users mailing list