Config hints for providing list of groups in post-auth?

Alan DeKok aland at
Mon Jun 6 20:35:04 CEST 2016

On Jun 6, 2016, at 2:29 PM, Mike Ely <me at> wrote:
> I have a 3.0.4 machine successfully authenticating against Active Directory. For the use case I have in mind I'd like to have the Freeradius server add into post-auth something like:
> Group-Name:= "Domain Users",
> Group-Name+= "All Staff",
> etc.

  Those are server-side attributes, and can't go into a RADIUS packet.

> The idea here is that the NAS will be able to make its own decisions about what to grant based on group membership once radius has authenticated the user.

  The NAS has to support this functionality.  If the NAS doesn't support it, then it's impossible.

> I can parse the group list easily enough from the shell, but don't know how to get this into post-auth. Also, is Group-Name the best choice here or should I be using another attribute?

  See your NAS documentation for how the NAS works.

  If you're writing your own NAS, use a vendor-specific dictionary to define your own group attribute.

  Alan DeKok.

More information about the Freeradius-Users mailing list