diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 09a4dcbc3..abfa82c67 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.27
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.9.28
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 66640e76e..21116160b 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -17,6 +17,11 @@ WWW: https://www.freeradius.org
 Plugin Changelog
 ================
 
+1.9.28
+
+* Add Groups for VLAN assignment
+* Add Fallback PPSK
+
 1.9.27
 
 * Allow EAP-TLS with multiple CAs (contributed by RasAlGhul)
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapgroupController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapgroupController.php
new file mode 100644
index 000000000..06b8377b9
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapgroupController.php
@@ -0,0 +1,203 @@
+<?php
+
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2025 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Freeradius\Api;
+
+use OPNsense\Freeradius\Ldapgroup;
+use OPNsense\Core\Config;
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Base\UIModelGrid;
+
+class LdapgroupController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'Ldapgroup';
+    protected static $internalModelClass = '\OPNsense\Freeradius\Ldapgroup';
+
+    public function getAction()
+    {
+        // define list of configurable settings
+        $result = array();
+        if ($this->request->isGet()) {
+            $mdlLdapgroup = new Ldapgroup();
+            $result['ldapgroup'] = $mdlLdapgroup->getNodes();
+        }
+        return $result;
+    }
+
+    public function setAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            // load model and update with provided data
+            $mdlLdapgroup = new Ldapgroup();
+            $mdlLdapgroup->setNodes($this->request->getPost("ldapgroup"));
+            // perform validation
+            $valMsgs = $mdlLdapgroup->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                if (!array_key_exists("validations", $result)) {
+                    $result["validations"] = array();
+                }
+                $result["validations"]["ldapgroup." . $msg->getField()] = $msg->getMessage();
+            }
+            // serialize model to config and save
+            if ($valMsgs->count() == 0) {
+                $mdlLdapgroup->serializeToConfig();
+                Config::getInstance()->save();
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+
+    public function searchLdapgroupAction()
+    {
+        $mdlLdapgroup = $this->getModel();
+        $grid = new UIModelGrid($mdlLdapgroup->ldapgroups->ldapgroup);
+        return $grid->fetchBindRequest(
+            $this->request,
+            array("enabled", "ldapgroupname", "vlan" )
+        );
+    }
+
+    public function getLdapgroupAction($uuid = null)
+    {
+        $mdlLdapgroup = $this->getModel();
+        if ($uuid != null) {
+            $node = $mdlLdapgroup->getNodeByReference('ldapgroups.ldapgroup.' . $uuid);
+            if ($node != null) {
+                // return node
+                return array("ldapgroup" => $node->getNodes());
+            }
+        } else {
+            $node = $mdlLdapgroup->ldapgroups->ldapgroup->add();
+            return array("ldapgroup" => $node->getNodes());
+        }
+        return array();
+    }
+
+    public function addLdapgroupAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost() && $this->request->hasPost("ldapgroup")) {
+            $result = array("result" => "failed", "validations" => array());
+            $mdlLdapgroup = $this->getModel();
+            $node = $mdlLdapgroup->ldapgroups->ldapgroup->Add();
+            $node->setNodes($this->request->getPost("ldapgroup"));
+            $valMsgs = $mdlLdapgroup->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                $fieldnm = str_replace($node->__reference, "ldapgroup", $msg->getField());
+                $result["validations"][$fieldnm] = $msg->getMessage();
+            }
+            if (count($result['validations']) == 0) {
+                unset($result['validations']);
+                // save config if validated correctly
+                $mdlLdapgroup->serializeToConfig();
+                Config::getInstance()->save();
+                unset($result['validations']);
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+
+    public function delLdapgroupAction($uuid)
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlLdapgroup = $this->getModel();
+            if ($uuid != null) {
+                if ($mdlLdapgroup->ldapgroups->ldapgroup->del($uuid)) {
+                    $mdlLdapgroup->serializeToConfig();
+                    Config::getInstance()->save();
+                    $result['result'] = 'deleted';
+                } else {
+                    $result['result'] = 'not found';
+                }
+            }
+        }
+        return $result;
+    }
+
+    public function setLdapgroupAction($uuid)
+    {
+        if ($this->request->isPost() && $this->request->hasPost("ldapgroup")) {
+            $mdlSetting = $this->getModel();
+            if ($uuid != null) {
+                $node = $mdlSetting->getNodeByReference('ldapgroups.ldapgroup.' . $uuid);
+                if ($node != null) {
+                    $result = array("result" => "failed", "validations" => array());
+                    $ldapgroupInfo = $this->request->getPost("ldapgroup");
+                    $node->setNodes($ldapgroupInfo);
+                    $valMsgs = $mdlSetting->performValidation();
+                    foreach ($valMsgs as $field => $msg) {
+                        $fieldnm = str_replace($node->__reference, "ldapgroup", $msg->getField());
+                        $result["validations"][$fieldnm] = $msg->getMessage();
+                    }
+                    if (count($result['validations']) == 0) {
+                        // save config if validated correctly
+                        $mdlSetting->serializeToConfig();
+                        Config::getInstance()->save();
+                        $result = array("result" => "saved");
+                    }
+                    return $result;
+                }
+            }
+        }
+        return array("result" => "failed");
+    }
+
+    public function toggle_handler($uuid, $elements, $element)
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlSetting = $this->getModel();
+            if ($uuid != null) {
+                $node = $mdlSetting->getNodeByReference($elements . '.' . $element . '.' . $uuid);
+                if ($node != null) {
+                    if ($node->enabled->__toString() == "1") {
+                        $result['result'] = "Disabled";
+                        $node->enabled = "0";
+                    } else {
+                        $result['result'] = "Enabled";
+                        $node->enabled = "1";
+                    }
+                    // if item has toggled, serialize to config and save
+                    $mdlSetting->serializeToConfig();
+                    Config::getInstance()->save();
+                }
+            }
+        }
+        return $result;
+    }
+
+    public function toggleLdapgroupAction($uuid)
+    {
+        return $this->toggle_handler($uuid, 'ldapgroups', 'ldapgroup');
+    }
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/LdapgroupController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/LdapgroupController.php
new file mode 100644
index 000000000..4834bf5fd
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/LdapgroupController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Freeradius;
+
+class LdapgroupController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->formDialogEditFreeRADIUSLdapgroup = $this->getForm("dialogEditFreeRADIUSLdapgroup");
+        $this->view->pick('OPNsense/Freeradius/ldapgroup');
+    }
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSLdapgroup.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSLdapgroup.xml
new file mode 100644
index 000000000..ac48a4bb2
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSLdapgroup.xml
@@ -0,0 +1,20 @@
+<form>
+    <field>
+        <id>ldapgroup.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the user account.</help>
+    </field>
+    <field>
+        <id>ldapgroup.ldapgroupname</id>
+        <label>LDAP Group Name</label>
+        <type>text</type>
+        <help>The complete LDAP DN.</help>
+    </field>
+    <field>
+        <id>ldapgroup.vlan</id>
+        <label>VLAN ID</label>
+        <type>text</type>
+        <help>VLAN ID for the specific LDAP group.</help>
+    </field>
+</form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.php b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.php
new file mode 100644
index 000000000..0e75f2296
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace OPNsense\Freeradius;
+
+use OPNsense\Base\BaseModel;
+
+/*
+    Copyright (C) 2025 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class Ldapgroup extends BaseModel
+{
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.xml
new file mode 100644
index 000000000..b120513e4
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.xml
@@ -0,0 +1,23 @@
+<model>
+    <mount>//OPNsense/freeradius/ldapgroup</mount>
+    <description>FreeRADIUS ldapgroup configuration</description>
+    <version>1.0.0</version>
+    <items>
+        <ldapgroups>
+            <ldapgroup type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <ldapgroupname type="TextField">
+                    <Required>Y</Required>
+                </ldapgroupname>
+                <vlan type="IntegerField">
+                    <Required>N</Required>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>4096</MaximumValue>
+                </vlan>
+            </ldapgroup>
+        </ldapgroups>
+    </items>
+</model>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
index d74274127..8f471bcb4 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
@@ -8,6 +8,7 @@
       <Lease VisibleName="DHCP Leases" url="/ui/freeradius/lease/index" order="36"/>
       <EAP url="/ui/freeradius/eap/index" order="40"/>
       <LDAP url="/ui/freeradius/ldap/index" order="50"/>
+      <LDAPGroup VisibleName="LDAP Group" url="/ui/freeradius/ldapgroup/index" order="55"/>
       <Proxy url="/ui/freeradius/proxy/index" order="60">
         <Homeservers url="/ui/freeradius#homeservers"/>
         <Homeserverpools url="/ui/freeradius#homeserverpools"/>
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/ldapgroup.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/ldapgroup.volt
new file mode 100644
index 000000000..88d74b363
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/ldapgroup.volt
@@ -0,0 +1,135 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+Copyright (C) 2017 - 2025 Michael Muenz <m.muenz@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+
+    $( document ).ready(function() {
+        updateServiceControlUI('freeradius');
+
+        $("#grid-ldapgroups").UIBootgrid(
+            {   'search':'/api/freeradius/ldapgroup/search_ldapgroup',
+                'get':'/api/freeradius/ldapgroup/get_ldapgroup/',
+                'set':'/api/freeradius/ldapgroup/set_ldapgroup/',
+                'add':'/api/freeradius/ldapgroup/add_ldapgroup/',
+                'del':'/api/freeradius/ldapgroup/del_ldapgroup/',
+                'toggle':'/api/freeradius/ldapgroup/toggle_ldapgroup/'
+            }
+        );
+
+        /*************************************************************************************************************
+         * Commands
+         *************************************************************************************************************/
+
+        /**
+         * Reconfigure
+         */
+        $("#reconfigureAct").click(function(){
+            $("#reconfigureAct_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/freeradius/service/reconfigure", sendData={}, callback=function(data,status) {
+                // when done, disable progress animation.
+                $("#reconfigureAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('freeradius');
+                if (status != "success" || data['status'] != 'ok') {
+                    BootstrapDialog.show({
+                        type: BootstrapDialog.TYPE_WARNING,
+                        title: "{{ lang._('Error reconfiguring FreeRADIUS') }}",
+                        message: data['status'],
+                        draggable: true
+                    });
+                } else {
+                    ajaxCall(url="/api/freeradius/service/reconfigure", sendData={});
+                }
+            });
+        });
+
+      /*************************************************************************************************************
+       * context driven input dialogs
+       *************************************************************************************************************/
+      ajaxGet(url='/api/freeradius/general/get', sendData={}, callback=function(data,status){
+          // since our general data doesn't change during input of new ldapgroups, we can control the dialog inputs
+          // at once after load. No need for an "onShow" type of event here,
+          // since our changes aren't driven by the dialog form itself.
+          if (data.general != undefined) {
+              $("#frm_dialogEditFreeRADIUSLdapgroup tr").each(function () {
+                  var this_item_name = $(this).attr('id');
+                  var this_item = $(this);
+                  if (this_item_name != undefined) {
+                      $.each(data.general, function(setting_key, setting_value){
+                          var search_item = 'row_ldapgroup.' + setting_key +'_';
+                          if (this_item_name.startsWith(search_item) && setting_value == '0') {
+                              // since our form tr rows are visible by default, we only have to hide what isn't needed
+                              this_item.hide();
+                          }
+                      });
+                  }
+              });
+          }
+      });
+
+    });
+
+
+</script>
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#ldapgroups">{{ lang._('LDAP Group') }}</a></li>
+</ul>
+
+<div class="tab-content content-box tab-content">
+    <div id="ldapgroups" class="tab-pane fade in active">
+        <table id="grid-ldapgroups" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="dialogEditFreeRADIUSLdapgroup">
+            <thead>
+            <tr>
+                <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="ldapgroupname" data-type="string" data-visible="true">{{ lang._('Groupname') }}</th>
+                <th data-column-id="vlan" data-type="string" data-visible="false">{{ lang._('VLAN ID') }}</th>
+                <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+    <div class="col-md-12">
+        <hr/>
+        <button class="btn btn-primary" id="reconfigureAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="reconfigureAct_progress" class=""></i></button>
+        <br/><br/>
+    </div>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditFreeRADIUSLdapgroup,'id':'dialogEditFreeRADIUSLdapgroup','label':lang._('Edit LDAP Group')])}}
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
index 6618e4110..dda33d3f3 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
@@ -101,6 +101,18 @@ DEFAULT Hint == "CSLIP"
 
 DEFAULT Hint == "SLIP"
         Framed-Protocol = SLIP
+
+{%  if helpers.exists('OPNsense.freeradius.ldapgroup.ldapgroups.ldapgroup') %}
+{%    for ldapgroup_list in helpers.toList('OPNsense.freeradius.ldapgroup.ldapgroups.ldapgroup') %}
+{%      if ldapgroup_list.enabled == '1' %}
+DEFAULT Ldap-Group == "{{ ldapgroup_list.ldapgroupname }}"
+        Tunnel-Type = VLAN,
+        Tunnel-Medium-Type = IEEE-802,
+        Tunnel-Private-Group-Id = "{{ ldapgroup_list.vlan }}"
+{%      endif %}
+{%    endfor %}
+{%  endif %}
+
 {%  if helpers.exists('OPNsense.freeradius.general.fallbackvlan_enabled') and OPNsense.freeradius.general.fallbackvlan_enabled == '1' %}
 
 DEFAULT Auth-Type := Accept