diff --git a/LibreNMS/Authentication/RadiusAuthorizer.php b/LibreNMS/Authentication/RadiusAuthorizer.php
index 10c3f71d72c7..dd2b523b0778 100644
--- a/LibreNMS/Authentication/RadiusAuthorizer.php
+++ b/LibreNMS/Authentication/RadiusAuthorizer.php
@@ -42,6 +42,7 @@ public function authenticate($credentials)
                 'auth_type' => LegacyAuth::getType(),
                 'can_modify_passwd' => 0,
             ]);
+            $new_user = ! $user->exists;
             $user->save();
 
             // cache a single role from the Filter-ID attribute now because attributes are cleared every accessRequest
@@ -50,7 +51,9 @@ public function authenticate($credentials)
                 $this->roles[$credentials['username']] = [substr($filter_id_attribute, 14)];
             }
 
-            $user->setRoles($this->roles[$credentials['username']] ?? $this->getDefaultRoles(), true);
+            if (Config::get('radius.enforce_roles') || $new_user) {
+                $user->setRoles($this->roles[$credentials['username']] ?? $this->getDefaultRoles(), true);
+            }
 
             return true;
         }
diff --git a/lang/en/settings.php b/lang/en/settings.php
index 6c58a822405e..2f54f4b65c51 100644
--- a/lang/en/settings.php
+++ b/lang/en/settings.php
@@ -1265,6 +1265,10 @@
                 'description' => 'Default user roles',
                 'help' => 'Sets the roles that will be assigned to the user unless Radius sends attributes that specify role(s)',
             ],
+            'enforce_roles' => [
+                'description' => 'Enforce roles at login',
+                'help' => 'If enabled, roles will be set to the ones specified by the Filter-ID attribute or radius.default_roles at login.  Otherwise, they will be set when the user is created and never changed after that.',
+            ],
         ],
         'reporting' => [
             'error' => [
diff --git a/misc/config_definitions.json b/misc/config_definitions.json
index 5b9d32b7c042..407b90096d10 100644
--- a/misc/config_definitions.json
+++ b/misc/config_definitions.json
@@ -33,7 +33,7 @@
                  "value": "array",
                  "value.*": "string"
              }
-        },	
+        },
         "alert_colour.ok": {
             "default": "#00ff00",
             "type": "color"
@@ -5111,6 +5111,13 @@
             "order": 3,
             "type": "array"
         },
+        "radius.enforce_roles": {
+            "default": true,
+            "group": "auth",
+            "section": "radius",
+            "order": 4,
+            "type": "boolean"
+        },
         "rancid_configs": {
             "default": [],
             "type": "array"