Docs

Guides

Blog

Tools

TOTPRadius - RADIUS Dynamic attribute response based on AD Group membership


Some systems us special RADIUS attribute for applying certain operations to users. For example, the Tunnel-Private-Group-ID attribute designates the group ID value for a specified tunneling session of the Watchguard  VPN system. Private groups are used to associate configured tunnels with specified groups of users. The value of the field is unrestricted and can be configured in whatever way a specific implementation requires. Starting from TOTPRadius v0.2.9, it is possible to set Tunnel-Private-Group-ID attribute value based on AD Group Membership.
This can be configured in Settings → RADIUS Service configuration:


The 'Additional RADIUS Attributes' field should contain the reference to the ldap-group script as shown on the example below:

update reply { Filter-ID :=`/usr/bin/php /var/www/ldap-group.php '%{User-Name}' '%{User-Password}'` }

Important: The group names used for this parameter should not contain "=" sign.
The 'RADIUS LDAP Group mapping' field should contain a mapping rule, which allows members of the specified AD group to have Tunnel-Private-Group-ID attribute equal to some value.
For the example above, if a user belongs to an AD Group named 'Token2_VPN_users', the Filter-ID will be included in the Radius reply as below:



Kindly note that nested group membership is currently not supported. The user must be a direct member of the AD group for this setting to work correctly. Additionally, this functionality is supported only when full authentication mode is used (i.e., both password and OTP are supplied in the RADIUS request). If single-factor authentication is used, group membership will not be checked or returned.


updated: 03/02/2026 09:26