TOTPRadius - RADIUS Dynamic attribute response based on AD Group membership


Some systems us special RADIUS attribute for applying certain operations to users. For example, the Tunnel-Private-Group-ID attribute designates the group ID value for a specified tunneling session of the Watchguard  VPN system. Private groups are used to associate configured tunnels with specified groups of users. The value of the field is unrestricted and can be configured in whatever way a specific implementation requires. Starting from TOTPRadius v0.2.9, it is possible to set Tunnel-Private-Group-ID attribute value based on AD Group Membership.
This can be configured in SettingsRADIUS Service configuration:


The 'Additional RADIUS Attributes' field should contain the reference to the ldap-group script as shown on the example below:

update reply { Filter-ID :=`/usr/bin/php /var/www/ldap-group.php '%{User-Name}' '%{User-Password}'` }

Important: The group names used for this parameter should not contain "=" sign.
The 'RADIUS LDAP Group mapping' field should contain a mapping rule, which allows members of the specified AD group to have Tunnel-Private-Group-ID attribute equal to some value.
For the example above, if a user belongs to an AD Group named 'Token2_VPN_users', the Filter-ID will be included in the Radius reply as below:



Kindly note that nested grouping is currently not supported. The user has to be a direct member of the AD Group for this setting to work correctly.