diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/API.php b/src/opnsense/mvc/app/library/OPNsense/Auth/API.php
index 6aee09bd4..4ea74847d 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/API.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/API.php
@@ -35,7 +35,7 @@ use OPNsense\Core\Config;
  * Class API key/secret database connector (connect to legacy xml structure).
  * @package OPNsense\Auth
  */
-class API implements IAuthConnector
+class API extends Base implements IAuthConnector
 {
     /**
      * @var array internal list of authentication properties
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
new file mode 100644
index 000000000..bedc7556c
--- /dev/null
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
@@ -0,0 +1,98 @@
+<?php
+/**
+ *    Copyright (C) 2017 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Auth;
+
+use OPNsense\Core\Config;
+
+/**
+ * Authenticator stub, implements local methods
+ * @package OPNsense\Auth
+ */
+abstract class Base
+{
+    /**
+     * return group memberships
+     * @param string $username username to find
+     * @return array
+     */
+    private function groups($username)
+    {
+        $groups = array();
+        $user = $this->getUser($username);
+        if ($user != null) {
+            $uid = (string)$user->uid;
+            $cnf = Config::getInstance()->object();
+            if (isset($cnf->system->group)) {
+                foreach ($cnf->system->group as $group) {
+                    if (isset($group->member)) {
+                        foreach ($group->member as $member) {
+                            if ((string)$uid == (string)$member) {
+                                $groups[] = (string)$group->gid;
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return $groups;
+    }
+
+    /**
+     * user allowed in local group
+     * @param string $username username to check
+     * @param string $gid group id
+     * @return boolean
+     */
+    public function groupAllowed($username, $gid)
+    {
+        return in_array($gid, $this->groups($username));
+    }
+
+    /**
+     * find user settings in local database
+     * @param string $username username to find
+     * @return SimpleXMLElement|null user settings (xml section)
+     */
+    protected function getUser($username)
+    {
+        // search local user in database
+        $configObj = Config::getInstance()->object();
+        $userObject = null;
+        foreach ($configObj->system->children() as $key => $value) {
+            if ($key == 'user' && !empty($value->name) && (string)$value->name == $username) {
+                // user found, stop search
+                $userObject = $value;
+                break;
+            }
+        }
+        return $userObject;
+    }
+}
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
index 39da1eeb1..08b21839f 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
@@ -33,7 +33,7 @@ namespace OPNsense\Auth;
  * Class LDAP connector
  * @package OPNsense\Auth
  */
-class LDAP implements IAuthConnector
+class LDAP extends Base implements IAuthConnector
 {
     /**
      * @var int ldap version to use
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Local.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Local.php
index 621cd3166..36c29121f 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Local.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Local.php
@@ -35,7 +35,7 @@ use OPNsense\Core\Config;
  * Class Local user database connector (using legacy xml structure).
  * @package OPNsense\Auth
  */
-class Local implements IAuthConnector
+class Local extends Base implements IAuthConnector
 {
     /**
      * type name in configuration
@@ -64,26 +64,6 @@ class Local implements IAuthConnector
         return array();
     }
 
-    /**
-     * find user settings in local database
-     * @param string $username username to find
-     * @return SimpleXMLElement|null user settings (xml section)
-     */
-    protected function getUser($username)
-    {
-        // search local user in database
-        $configObj = Config::getInstance()->object();
-        $userObject = null;
-        foreach ($configObj->system->children() as $key => $value) {
-            if ($key == 'user' && !empty($value->name) && (string)$value->name == $username) {
-                // user found, stop search
-                $userObject = $value;
-                break;
-            }
-        }
-        return $userObject;
-    }
-
     /**
      * authenticate user against local database (in config.xml)
      * @param string|SimpleXMLElement $username username (or xml object) to authenticate
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
index 976d6ec07..470c2f32d 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
@@ -34,7 +34,7 @@ namespace OPNsense\Auth;
  * Class Radius connector
  * @package OPNsense\Auth
  */
-class Radius implements IAuthConnector
+class Radius extends Base implements IAuthConnector
 {
     /**
      * @var null radius hostname / ip
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php
index c252f6a48..d59b4b0e6 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php
@@ -36,7 +36,7 @@ use OPNsense\Core\Config;
  * Class Voucher user database connector
  * @package OPNsense\Auth
  */
-class Voucher implements IAuthConnector
+class Voucher extends Base implements IAuthConnector
 {
     /**
      * @var null reference id
@@ -451,4 +451,15 @@ class Voucher implements IAuthConnector
 
         return $fields;
     }
+
+    /**
+     * groups not supported
+     * @param string $username username to check
+     * @param string $gid group id
+     * @return boolean
+     */
+    public function groupAllowed($username, $gid)
+    {
+        return false;
+    }
 }