diff --git a/config/config-template.php b/config/config-template.php
index 3d1aff1445e91766da4e89bbc2ae8dd93464d2c9..c9980eb974060e8c22140f40c5dae2e25a22f83b 100644
--- a/config/config-template.php
+++ b/config/config-template.php
@@ -104,32 +104,37 @@ $config = array (
 	 *	Options: [flatfile,saml2xmlmeta]
 	 *
 	 */
-	#'metadata.handler'		=> 'saml2xmlmeta',
 	'metadata.handler'		=> 'flatfile',
 
 	
-
-	
 	/*
 	 * LDAP configuration. This is only relevant if you use the LDAP authentication plugin.
 	 */
-	'auth.ldap.dnpattern'	=> 'uid=%username%,dc=feide,dc=no,ou=feide,dc=uninett,dc=no',
-	'auth.ldap.hostname'	=> 'ldap.uninett.no',
-	'auth.ldap.attributes'	=> 'objectclass=*',
+	'auth.ldap.dnpattern'  => 'uid=%username%,dc=feide,dc=no,ou=feide,dc=uninett,dc=no',
+	'auth.ldap.hostname'   => 'ldap.uninett.no',
+	'auth.ldap.attributes' => 'objectclass=*',
 	
 	/*
 	 * Radius authentication. This is only relevant if you use the Radius authentication plugin.
+	 * user attributes are expected to be stored in a Vendor-Specific RADIUS string attribute and have
+	 * the form aai-attribute=value
+	 * vendor and vendor-attr below indicate in which RADIUS attribute the AAI attributes are in.
+	 * multiple occurences of that RADIUS attribute are supported
 	 */
-	'auth.radius.hostname'	=> 'radius.example.org',
-	'auth.radius.port'		=> '1812',
-	'auth.radius.secret'	=> 'topsecret',
+	'auth.radius.hostname'        => 'radius.example.org',
+	'auth.radius.port'            => '1812',
+	'auth.radius.secret'          => 'topsecret'
+	'auth.radius.URNForUsername'  => 'urn:mace:dir:attribute-def:eduPersonPrincipalName',
+	'auth.radius.vendor'          => '23735',
+	'auth.radius.vendor-attr'     => '4'
+
 	
 	/*
 	 * These parameters are only relevant if you setup an OpenID Provider.
 	 */
-	'openid.userid_attributename'		=>	'eduPersonPrincipalName',
-	'openid.delegation_prefix'			=>	'https://openid.feide.no/',
-	'openid.filestore'					=>	'/tmp/openidstore',
+	'openid.userid_attributename' => 'eduPersonPrincipalName',
+	'openid.delegation_prefix'    => 'https://openid.feide.no/',
+	'openid.filestore'            => '/tmp/openidstore',
 	
 
 	/*
diff --git a/www/auth/login-radius.php b/www/auth/login-radius.php
index fb147f8bbe0858909961204723feba6624c2f495..4bb69ad5bdd801fe7a2333a6d587e14bf3737589 100644
--- a/www/auth/login-radius.php
+++ b/www/auth/login-radius.php
@@ -45,9 +45,36 @@ if (isset($_POST['username'])) {
 		switch (radius_send_request($radius))
 		{
 			case RADIUS_ACCESS_ACCEPT:
-	
+				
 				// GOOD Login :)
-				$attributes = array('urn:mace:eduroam.no:username' => array($_POST['username']));
+				
+				$attributes = array( $config->getValue('auth.radius.URNForUsername') => array($_POST['username']));
+				
+				// get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA
+				while ($resa = radius_get_attr($radius)) {
+					
+					if (! is_array($resa)) {
+						printf ("Error getting attribute: %s\n",  radius_strerror($res));
+						exit;
+					}
+					
+					if ($resa['attr'] == RADIUS_VENDOR_SPECIFIC) {
+						$resv = radius_get_vendor_attr($resa['data']);
+						if (is_array($resv)) {
+							$vendor = $resv['vendor'];
+							$attrv = $resv['attr'];
+							$datav = $resv['data'];
+							printf("Got Vendor Attr:%d %d Bytes %s\n", $attrv, strlen($datav), bin2hex($datav));
+							if ($vendor == $config->getValue('auth.radius.vendor') && $attrv == $config->getValue('auth.radius.vendor-attr'))
+							   $attrib_name  = strtok ($datav,'=');
+							   $attrib_value = strtok ('=');
+							   $attributes = $attributes + array($attrib_name => array($attrib_value));
+						}
+					}
+				}
+				// end of contribution
+
+				//$attributes = array('urn:mace:eduroam.no:username' => array($_POST['username']));
 				
 				$logger->log(LOG_NOTICE, $session->getTrackID(), 'AUTH', 'radius', 'OK', $_POST['username'], $_POST['username'] . ' successfully authenticated');