diff --git a/LibreNMS/Authentication/RadiusAuthorizer.php b/LibreNMS/Authentication/RadiusAuthorizer.php
index 05aa23d30b..bdd3ff42e7 100644
--- a/LibreNMS/Authentication/RadiusAuthorizer.php
+++ b/LibreNMS/Authentication/RadiusAuthorizer.php
@@ -33,7 +33,26 @@ class RadiusAuthorizer extends MysqlAuthorizer
 
         $password = $credentials['password'] ?? null;
         if ($this->radius->accessRequest($credentials['username'], $password) === true) {
-            $this->addUser($credentials['username'], $password, Config::get('radius.default_level', 1));
+            // attribute 11 is "Filter-Id", apply and enforce user role (level) if set
+
+            $filter_id_attribute = $this->radius->getAttribute(11);
+            $level = match ($filter_id_attribute) {
+                'librenms_role_admin' => 10,
+                'librenms_role_normal' => 1,
+                'librenms_role_global-read' => 5,
+                default => Config::get('radius.default_level', 1)
+            };
+
+            // if Filter-Id was given and the user exists, update the level
+            if ($filter_id_attribute && $this->userExists($credentials['username'])) {
+                $user = \App\Models\User::find($this->getUserid($credentials['username']));
+                $user->level = $level;
+                $user->save();
+
+                return true;
+            }
+
+            $this->addUser($credentials['username'], $password, $level, '', $credentials['username'], 0);
 
             return true;
         }
diff --git a/doc/Extensions/Authentication.md b/doc/Extensions/Authentication.md
index 8a03488095..af25d57554 100644
--- a/doc/Extensions/Authentication.md
+++ b/doc/Extensions/Authentication.md
@@ -267,9 +267,23 @@ setsebool -P httpd_can_connect_ldap 1
 ## Radius Authentication
 
 Please note that a mysql user is created for each user the logs in
-successfully. User level 1 is assigned to those accounts so you will
-then need to assign the relevant permissions unless you set
-`$config['radius']['userlevel']` to be something other than 1.
+successfully. User level 1 is assigned by default to those accounts 
+unless radius sends a reply attribute with the correct userlevel. 
+
+You can change the default userlevel by setting
+`$config['radius']['userlevel']` to something other than 1.
+
+The attribute `Filter-ID` is a standard Radius-Reply-Attribute (string) that
+can be assigned a value which translates into a userlevel in LibreNMS. 
+
+The strings to send in `Filter-ID` reply attribute is *one* of the following:
+
+- `librenms_role_normal` - Sets the value `1`, which is the normal user level.
+- `librenms_role_admin` - Sets the value `5`, which is the administrator level.
+- `librenms_role_global-read` - Sets the value `10`, which is the global read level.
+
+LibreNMS will ignore any other strings sent in `Filter-ID` and revert to default userlevel that is set in `config.php`.
+
 
 ```php
 $config['radius']['hostname']      = 'localhost';
@@ -280,6 +294,11 @@ $config['radius']['users_purge']   = 14;  // Purge users who haven't logged in f
 $config['radius']['default_level'] = 1;  // Set the default user level when automatically creating a user.
 ```
 
+### Radius Huntgroup
+
+Freeradius has a function called `Radius Huntgroup` which allows to send different attributes based on NAS.
+This may be utilized if you already use `Filter-ID` in your environment and also want to use radius with LibreNMS.
+
 ### Old account cleanup
 
 Cleanup of old accounts is done by checking the authlog. You will need