FreeRadius - Pass LDAP Group (Attribute?) to RSSO?

Alan DeKok aland at
Wed Dec 13 17:58:26 CET 2017

On Dec 13, 2017, at 12:12 AM, Matthew Stavert <matthew.stavert at> wrote:
> Hello.  My FreeRadius version on SLES is 2.1.1-7.18.1

  You should really upgrade.  There's just no reason to use a version that's nearly a decade old.

>  My FreeRadius setup
> is using eDirectory LDAP and integrates with the LDAP module on
> FreeRadius.  Recently, I decided it was a good idea to send my radius
> authentication accounting data to my Fortigate using RSSO.  I have this all
> working, and my usernames from my chosen radius server are showing up on my
> Fortigate now.

  That's good...

>  I have one small hurdle now.  When the usernames show up,
> they are not associated with any groups.  On the Fortigate I can associate
> or make an RSSO group, that will look at a class attribute (I think),

  You need to be sure of that before coming up with a solution.

> on
> the FreeRadius server, and using that attribute the RSSO group will match
> the usernames to that group, and match the group name with the username on
> the Fortigate (I hope I'm explaining this well).


>  I have found
> documentation for MS NPS radius servers, but I am unsure of how to perform
> the equivalent process on the FreeRadius server.  I am hoping someone can
> provide me with an example or point me in the right direction on how I can
> perform this on FreeRadius since I am using Rreeradius server.   It seems
> like there might be a way to do this with the CLASS attribute, but I would
> need help with this.  I am open to any ideas, and or solutions with
> FreeRadius that would accomplish this.

  What, exactly do you need to do?  Write that down, first.  e.g.

  If they're a member of LDAP group X, send class Y.


  Then... implement that in unlang.

  And upgrade to v3.  It will be infinitely easier to do this (and debug it), than in 2.1.1.

  Alan DeKok.

More information about the Freeradius-Users mailing list