FreeRadius - Pass LDAP Group (Attribute?) to RSSO?

Alan DeKok aland at
Wed Dec 13 19:25:58 CET 2017

On Dec 13, 2017, at 12:50 PM, Matthew Stavert <matthew.stavert at> wrote:
>> *What, exactly do you need to do?  Write that down, first.  e.g.*
> I need to identify the group the user is in once they are authenticated,
> and then pass the users's group to the Dynamic RSSO group on the Fortigate
> using the Class attribute I believe.
> A picture is worth 1000 words...or something like that:

  The list strips pictures.  Too many people were posting PNGs of screen captures showing debug logs in a terminal window.

> [image: Inline image 2]
> The user names are being passed from freeradius, but the user's are not
> there.

  Where is "there"?

> To pass the user's LDAP group, I believe I need to identify which group
> they are a part of in freeradius, and put that in CLASS.

  That's what I said...

>> * If they're a member of LDAP group X, send class Y.*
>> etc.
> Yes, this is what I need to do.  If member of student, send Class=students,
> If member of admins send class=admins, if member of staff, send class=staff.
> Would I have to identify some of this in the LDAP module, or is free radius
> Version 3, smart enough to identity what group the user is a part of in

  It doesn't read your mind.  You need to configure it to do what you want.

  And the documentation helps here...

>  If it is, I imagine I can just move to implementing in unlang.  If
> not...can you provide me with some guidance where I would start identifying
> or how I would identify what gorup the user was a part of in free radius,
> and what file that would go in?

  Type "ldap group" into the search bar.  Read the documentation.

>> *Then... implement that in unlang.*
> What conf file and area would be the best place to put the unlang if
> statements, IE:

  All of this is documented.

>> *And upgrade to v3.  It will be infinitely easier to do this (and debug
> it), than in 2.1.1.*
> I will be upgrading to version 3 today, and getting this all going on the
> newest server.

  That's good.

  Alan DeKok.

More information about the Freeradius-Users mailing list