# Active Directory with Organizations This tutorial will explain including organization and group names in the Active Directory Radius response. This will allow adding Pritunl users to organizations and groups based on the users group membership in Active Directory. Each organization will need a network policy which will include the Pritunl organization and group names as custom string attributes. To start create a new network policy. For this example the Pritunl Developers organization will be used. The name of the network policy should include the Pritunl organization name. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FbLUmr2CK4wEGItFqjdf2%2Fad_group0.png?alt=media\&token=8f1ed7d2-946f-4675-8054-0074ccf54ee7) Next create a condition for the network policy to only match users in the Developers group in Active Directory. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FRejuTF7IDh7WfKylW4AF%2Fad_group1.png?alt=media\&token=3b1fe767-1767-4416-9be5-2384e7204f53) Then select *Add* and choose the *ClientIPv4Address* and enter the IP address of the Pritunl server. This will only allow the policy to be used by the Pritunl server. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F5KrQANUi26PEObxh7ocY%2Fad_group11.png?alt=media\&token=ec871ac0-d873-4213-b60c-7b99900ced4d) For the authentication methods configuration select *Unencrypted authentication (PAP, SPAP)*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FR262g7guXMTExw1FcJiH%2Fad_group2.png?alt=media\&token=356aa07a-be8d-400b-a885-17b6073f2ad1) In the configuration settings select the *Vendor Specific* section then click *Add*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FgMkwHBOmyXg0bRhysgmM%2Fad_group3.png?alt=media\&token=130073e6-79a6-465d-9bfc-9b0e5ff4cfbd) In the add vendor specific attribute window set *Vendor* to *Custom* then select the *Vendor-Specific* attribute. Then click *Add*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FnoXptQLVDyIOUAGqNckt%2Fad_group4.png?alt=media\&token=75083cd1-f785-41a1-8186-c8023d50200a) In the attribute information window set the vendor code to *97* then select *Yes. It conforms* and click *Configure Attribute*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FdxxyOwPAMEBlFqGUhMqA%2Fad_group5.png?alt=media\&token=618f5583-acd1-4465-9e1b-d9d783d4e996) In the VSA configuration window set the attribute number to *0* and the format to *String*. Then enter one organization name in the value. The organization name must match an existing organization in Pritunl. Multiple organization names can be provided by adding additional attributes with the attribute number *0*. Pritunl will add the user to the first matched organization. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Ft6x8saWknG1lYH7TjPeL%2Fad_group6.png?alt=media\&token=1f859a27-df3d-4959-bedc-28a504777414) Group names can also be included by are not required. This can be done by adding repeating the process above to add an attribute with vendor code *97* then setting the attribute number to *1*. Multiple group names can be provided by adding additional attributes with the attribute number *1*. Pritunl will add the user to all of the groups specified. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FMLcuDlNfmX1un5tGmEvl%2Fad_group7.png?alt=media\&token=d7a41911-3e71-406f-a674-66808fa3bb84) Once done the attribute information window should look similar to the example below. This example will add the user to the *Developers* organization and both groups *Group* and *Group2*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FajkZ0nktqWGGSczPw1DV%2Fad_group9.png?alt=media\&token=38a46c74-fb1e-4597-9927-d452502c2bd5) For users belonging to multiple Active Directory groups the priority can be configured by moving the network polices. The example below shows the *Developers* organization taking priority over the *Operations* organization. A user that is a member of both *Developers* and *Operations* will be added to the *Developers* organization. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FCKPQkx73TUKFVPmtXdam%2Fad_group10.png?alt=media\&token=58eca4ae-50ec-457a-b66b-760c1a7b39db) Once the Radius server is configured enter the IP address of the Windows Radius server with port *1812* and the shared secret from earlier in the Pritunl settings. Users will then be able to login to the web console using their Active Directory credentials. When users connect they will also be required to enter their Active Directory password. ![](https://github.com/pritunl/pritunl-docs/blob/master/pritunl/.gitbook/assets/ad11.png) The event viewer is useful for determining why Radius authentication requests failed. ![](https://github.com/pritunl/pritunl-docs/blob/master/pritunl/.gitbook/assets/ad10.png)