Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Levin, Vladimir vladlevin at
Thu Sep 5 10:12:30 CEST 2019

Hi Fajar,

After reading your reply I've realized that, since all Synology users belong to the "users" group, I can simply use that value in the Class statement.  And it worked!  Now all that's left to do is to include "admin" group for router administration, but it looks like there's a syntax error in the 2nd line of the code I came up with:

update reply {
	if (&User-Name == "cisco") {
		Class := "admin"
	else {
		Class := "users"

Could you tell me what I'm doing wrong?

Thanks a lot,

-----Original Message-----
From: Freeradius-Users [ at] On Behalf Of Fajar A. Nugraha
Sent: Wednesday, September 04, 2019 10:04 PM
To: FreeRadius users mailing list
Subject: Re: Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

On Thu, Sep 5, 2019 at 9:43 AM Levin, Vladimir <vladlevin at> wrote:
> Hi Fajar,
> Just to be clear: the user accounts and groups already exist in Synology's local database.

Does freeradius get the same information from that database?

>  My goal is to return the users' group as a Class attribute in the authentication reply to the RADIUS client (Cisco VPN router).  Here's what I did (working config files are located in  /usr/local/synoradius/):
> 1. Created  /usr/local/synoradius/groups  file with the following content:
> update reply {
>         Class := "%{Group}"
> }

Have you determined that %{Group} actually contain the correct group?

> The client log reads "charon: Localdb:authorization failed as group is NULL".
> Below is the server log:
> Type    Date & Time     Event
> 2019-09-04 18:59:06     Info    Ready to process requests
> 2019-09-04 18:59:06     Debug   (0) Cleaning up request packet ID 166 with timestamp +36671
> 2019-09-04 18:59:01     Debug   Waking up in 4.9 seconds.
> 2019-09-04 18:59:01     Debug   (0) Finished request
> 2019-09-04 18:59:01     Debug   (0) Class := 0x

Looking at this, it seems that %{Group} is expanded to null.

Where did synology define the group? If it's part of unix group, then
, it does not store group membership in 'Group' attribute. You might
be able to use something like
, but it might or might not work depending on what's in your

If your user/group are stored in sql, then it's another different
story. You might be able to get group membership using a custom SQL

In any case, you can see what attributes you can use (for update
reply) in debug mode using debug_all:

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list