2

RADIUS is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management.

The question if is it possible to get the user groups or other attributes. According my understanding the answer is not but I will happy to clarify if I miss something:

During Access Request the client sends the client credentials (and optionally IP address and other parameters). A server responses with Access Accept (or Access Reject) but does not provide the user groups or other attributes.

Michael
  • 1,457
  • 1
  • 18
  • 36

1 Answers1

2

The radius response is not restricted to accept or reject but can actually contain more information. For example you could use the 'Class' attribute to use as the group name. But of course the radius server needs to put the necessary information into the attribute you expect, i.e. it need to be configured to match your expectation. See also Cisco WSA : What is RADIUS CLASS attribute ? or Configure group-role mapping using Radius class attribute on Security Management Appliance (SMA).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks for the prompt answer! Do you know the answer for the same question for TACACS (https://en.wikipedia.org/wiki/TACACS)? I can ask in the separate question. – Michael Nov 01 '16 at 16:42
  • @Michael: no, I don't know but I would expect it to be similar. – Steffen Ullrich Nov 01 '16 at 16:52