RADIUS Translation – Map Directory Attributes to RADIUS Responses
Overview
Section titled “Overview”The RADIUS Translation page defines rules that map LDAP directory attributes to RADIUS response attributes. When a user authenticates through an LDAP profile or Entra ID profile with RADIUS translation enabled, MideyeServer reads the specified LDAP attributes from the user’s directory entry, matches them against configured patterns, and includes the corresponding RADIUS attributes in the Access-Accept response.
This feature is essential for role-based access control, VLAN assignment, and vendor-specific attribute delivery based on directory group membership.
Access & Permissions
Section titled “Access & Permissions”Required Role: ROOT, SUPER_ADMIN, or ADMIN (to create, edit, or delete rules)
Navigation: Home → Directory Settings → RADIUS Translation
| Role | View | Create / Edit / Delete |
|---|---|---|
| ROOT | ✅ | ✅ |
| SUPER_ADMIN | ✅ | ✅ |
| ADMIN | ✅ | ✅ |
| OPERATOR | ✅ | ❌ |
Features & Configuration
Section titled “Features & Configuration”Data Grid Columns
Section titled “Data Grid Columns”| Column | Description | Visibility |
|---|---|---|
| LDAP Attribute | LDAP attribute name(s) to read from the directory | Default |
| LDAP Value | Regex pattern to match against the attribute value | Always |
| RADIUS Attribute | Target RADIUS attribute for the response | Default |
| RADIUS Value | Value to set in the RADIUS response when matched | Default |
| Action | Edit and Delete buttons (admin only) | Always |
Create / Edit Form
Section titled “Create / Edit Form”Translation Rule Fields
Section titled “Translation Rule Fields”| Field | Type | Required | Validation | Default | Description |
|---|---|---|---|---|---|
| LDAP Attributes | Multi-tag input | No | — | memberOf | LDAP attribute(s) to read. Multiple attributes are separated by semicolons |
| LDAP Value | Text | Yes | — | (.*)VPNUsers(.*) | Regex pattern to match against the LDAP attribute value |
| RADIUS Attribute Type | Select | Yes | — | Standard (RFC 2865) | Filters the attribute dropdown: Standard or Vendor-Specific |
| RADIUS Attribute | Select | Yes | — | — | Target RADIUS attribute (filtered by type and vendor) |
| RADIUS Value | Text | Yes | — | — | Value to include in the RADIUS response |
RADIUS Attribute Type Options
Section titled “RADIUS Attribute Type Options”| Option | Description |
|---|---|
| Standard Attribute (RFC 2865) | Standard RADIUS attributes (e.g., Filter-Id, Class, Framed-IP-Address) |
| Vendor-Specific Attributes | Custom attributes from configured vendors |
How Translation Works
Section titled “How Translation Works”- A user authenticates through a RADIUS client that references an LDAP or Entra ID profile.
- The profile must have RADIUS translation enabled (LDAP:
enableLdapRadiusTranslation, Entra ID:enableRadiusTranslation). - MideyeServer reads the specified LDAP attributes from the user’s directory entry.
- Each translation rule’s LDAP Value regex pattern is matched against the attribute values.
- For every matching rule, the configured RADIUS Attribute with the specified RADIUS Value is added to the Access-Accept response.
- If a rule maps to the RADIUS
Classattribute with a role type value, it functions as a role translation rule.
Common Use Cases
Section titled “Common Use Cases”Assigning VLAN by Group Membership
Section titled “Assigning VLAN by Group Membership”Map Active Directory group membership to a RADIUS attribute for VLAN assignment:
- Click Add New.
- Set LDAP Attributes to
memberOf. - Set LDAP Value to
(.*)VLAN100-Users(.*)(regex matching the group DN). - Select the appropriate RADIUS attribute (e.g., Tunnel-Private-Group-ID or a vendor-specific attribute).
- Set RADIUS Value to
100. - Save.
Role-Based Access Control
Section titled “Role-Based Access Control”Map directory groups to RADIUS Class attributes for role assignment:
- Click Add New.
- Set LDAP Attributes to
memberOf. - Set LDAP Value to
(.*)Administrators(.*). - Select the Class RADIUS attribute.
- Set RADIUS Value to the role identifier expected by the access device.
- Save.
Using Vendor-Specific Attributes
Section titled “Using Vendor-Specific Attributes”- First, create the vendor and attributes on the Vendor-Specific Attributes page.
- Click Add New on the RADIUS Translation page.
- Change RADIUS Attribute Type to the appropriate vendor.
- Select the vendor-specific attribute.
- Set the LDAP Value pattern and RADIUS Value.
- Save.
Multiple Attribute Sources
Section titled “Multiple Attribute Sources”Use the multi-tag input to check multiple LDAP attributes:
- Add multiple attribute names (e.g.,
memberOf,department). - The LDAP Value regex is tested against values from all specified attributes.
- Any match triggers the RADIUS attribute inclusion.
Troubleshooting
Section titled “Troubleshooting”| Issue | Possible Cause | Resolution |
|---|---|---|
| RADIUS attributes not included in response | Translation not enabled on the directory profile | Enable RADIUS translation on the LDAP or Entra ID profile |
| Regex not matching | Pattern does not account for full DN format | Test with broader patterns; AD group DNs include full path (e.g., CN=Group,OU=Groups,DC=...) |
| Wrong vendor attributes shown | Vendor not configured | Create the vendor on the Vendor-Specific Attributes page first |
| Multiple rules matching | All matching rules add attributes | This is expected behavior — all matching rules are applied |
Related Pages
Section titled “Related Pages”- LDAP Profiles — Enable RADIUS translation on LDAP directory profiles
- Entra ID Profiles — Enable RADIUS translation on Entra ID profiles
- Vendor-Specific Attributes — Define custom RADIUS attributes for translation targets
- RADIUS Clients — Associate directory profiles with RADIUS clients