Freeradius - how to reply "memberof" active directory information for Strongswan

Alan DeKok aland at
Tue Sep 24 20:45:22 CEST 2019

On Sep 24, 2019, at 2:34 PM, S├ębastien Genesta <genesta.sebastien at> wrote:
> I'm using Freeradius for the Active Directory authentication of my
> Strongswan clients.

  That should be fine.

> My goal is to declare 2 vpn connections with different virtual IP leases,
> allowing me to separate traffic (as an example, one vpn connection for
> sales and the other for technicians).
> To do it, I'm trying to use Group selection option (rightgroups) on
> Strongswan.
> According to Strongswan documentation (
> I have to
> use class attribute on my freeradius server to return the group membership.
> The issue is that I don't know how.
> I'm using mschap for authentication to Active Directory.

  You can't get group information using mschap.  You MUST configure the ldap module to check AD for group membership.

> I've tried to follow this post but it didn't work

  Define "didn't work".  What happened?

> More precisaly below part (replacing ldap module by mschap module and also
> changing path because my freeradius version is 3.0):
> ...
> # /etc/raddb/sites-enabled/default
> post-auth {
> ...
>        foreach &reply:memberOf {
>            update reply {
>                Class += "%{Foreach-Variable-0}"
>            }
>        }
> ...
> }

  And... what showed up in the debug output?

> Is there any official guide explaning how to reply memberOf attribute?


> How can I do it?

  The above method *should* work, provided you read the debug output to see what's going on.

  Alan DeKok.

More information about the Freeradius-Users mailing list