Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Fajar A. Nugraha list at
Thu Sep 5 07:04:10 CEST 2019

On Thu, Sep 5, 2019 at 9:43 AM Levin, Vladimir <vladlevin at> wrote:
> Hi Fajar,
> Just to be clear: the user accounts and groups already exist in Synology's local database.

Does freeradius get the same information from that database?

>  My goal is to return the users' group as a Class attribute in the authentication reply to the RADIUS client (Cisco VPN router).  Here's what I did (working config files are located in  /usr/local/synoradius/):
> 1. Created  /usr/local/synoradius/groups  file with the following content:
> update reply {
>         Class := "%{Group}"
> }

Have you determined that %{Group} actually contain the correct group?

> The client log reads "charon: Localdb:authorization failed as group is NULL".
> Below is the server log:
> Type    Date & Time     Event
> 2019-09-04 18:59:06     Info    Ready to process requests
> 2019-09-04 18:59:06     Debug   (0) Cleaning up request packet ID 166 with timestamp +36671
> 2019-09-04 18:59:01     Debug   Waking up in 4.9 seconds.
> 2019-09-04 18:59:01     Debug   (0) Finished request
> 2019-09-04 18:59:01     Debug   (0) Class := 0x

Looking at this, it seems that %{Group} is expanded to null.

Where did synology define the group? If it's part of unix group, then
, it does not store group membership in 'Group' attribute. You might
be able to use something like
, but it might or might not work depending on what's in your

If your user/group are stored in sql, then it's another different
story. You might be able to get group membership using a custom SQL

In any case, you can see what attributes you can use (for update
reply) in debug mode using debug_all:


More information about the Freeradius-Users mailing list