Config hints for providing list of groups in post-auth?

Mike Ely me at
Mon Jun 6 20:40:11 CEST 2016

On 06/06/2016 11:35 AM, Alan DeKok wrote:
> On Jun 6, 2016, at 2:29 PM, Mike Ely <me at> wrote:
>> I have a 3.0.4 machine successfully authenticating against Active Directory. For the use case I have in mind I'd like to have the Freeradius server add into post-auth something like:
>> Group-Name:= "Domain Users",
>> Group-Name+= "All Staff",
>> etc.
>    Those are server-side attributes, and can't go into a RADIUS packet.
Good to know.
>> The idea here is that the NAS will be able to make its own decisions about what to grant based on group membership once radius has authenticated the user.
>    The NAS has to support this functionality.  If the NAS doesn't support it, then it's impossible.
We have full control over the NAS and what it supports.
>> I can parse the group list easily enough from the shell, but don't know how to get this into post-auth. Also, is Group-Name the best choice here or should I be using another attribute?
>    See your NAS documentation for how the NAS works.
>    If you're writing your own NAS, use a vendor-specific dictionary to define your own group attribute.
>    Alan DeKok.
Excellent - the dictionary part seems straightforward.

What I'm wondering is how to get the group membership from the OS into a 
radius packet. Is there some kind of command from unlang that can 
execute a shell command? I'm hoping for something along the lines of 
"exec username" that returns an array of variables, in this 
case the list of group names.

More information about the Freeradius-Users mailing list