diff --git a/src/auth/pam.c b/src/auth/pam.c
index ce47122f..d90b41ec 100644
--- a/src/auth/pam.c
+++ b/src/auth/pam.c
@@ -24,6 +24,7 @@
 #include <syslog.h>
 #include <vpn.h>
 #include "pam.h"
+#include "cfg.h"
 #include <sec-mod-auth.h>
 
 #ifdef HAVE_PAM
@@ -341,17 +342,10 @@ struct pam_ctx_st * pctx = ctx;
 static void pam_group_list(void *pool, void *_additional, char ***groupname, unsigned *groupname_size)
 {
 	struct group *grp;
+	struct pam_cfg_st *config = _additional;
 	gid_t min = 0;
-	char *additional = _additional;
 
-	if (additional != NULL) {
-		if (strstr(additional, "gid-min=") != NULL) {
-			additional += 8;
-			min = atoi(additional);
-		} else {
-			syslog(LOG_INFO, "unknown PAM auth string '%s'", additional);
-		}
-	}
+	min = config->gid_min;
 
 	setgrent();
 
diff --git a/src/cfg.h b/src/cfg.h
index dcb29bb0..e2863793 100644
--- a/src/cfg.h
+++ b/src/cfg.h
@@ -37,6 +37,10 @@ typedef struct radius_cfg_st {
 	char *config;
 } radius_cfg_st;
 
+typedef struct pam_cfg_st {
+	int gid_min;
+} pam_cfg_st;
+
 unsigned expand_brackets_string(struct cfg_st *config, const char *str, subcfg_val_st out[MAX_SUBOPTIONS]);
 inline static void free_expanded_brackets_string(subcfg_val_st out[MAX_SUBOPTIONS], unsigned size)
 {
@@ -52,5 +56,6 @@ inline static void free_expanded_brackets_string(subcfg_val_st out[MAX_SUBOPTION
 void *get_brackets_string1(struct cfg_st *config, const char *str);
 void *gssapi_get_brackets_string(struct cfg_st *config, const char *str);
 void *radius_get_brackets_string(struct cfg_st *config, const char *str);
+void *pam_get_brackets_string(struct cfg_st *config, const char *str);
 
 #endif
diff --git a/src/config.c b/src/config.c
index 9f9c7eb2..333228c5 100644
--- a/src/config.c
+++ b/src/config.c
@@ -357,7 +357,7 @@ typedef struct auth_types_st {
 static auth_types_st avail_auth_types[] =
 {
 #ifdef HAVE_PAM
-	{NAME("pam"), &pam_auth_funcs, AUTH_TYPE_PAM, get_brackets_string1},
+	{NAME("pam"), &pam_auth_funcs, AUTH_TYPE_PAM, pam_get_brackets_string},
 #endif
 #ifdef HAVE_GSSAPI
 	{NAME("gssapi"), &gssapi_auth_funcs, AUTH_TYPE_GSSAPI, gssapi_get_brackets_string},
diff --git a/src/subconfig.c b/src/subconfig.c
index f1d15879..f5a0cb97 100644
--- a/src/subconfig.c
+++ b/src/subconfig.c
@@ -215,15 +215,46 @@ void *radius_get_brackets_string(struct cfg_st *config, const char *str)
 			} else if (c_strcasecmp(vals[i].name, "groupconfig") == 0) {
 				if (CHECK_TRUE(vals[i].value))
 					config->sup_config_type = SUP_CONFIG_RADIUS;
+			} else {
+				fprintf(stderr, "unknown option '%s'\n", vals[i].name);
+				exit(1);
+			}
+		}
+		free_expanded_brackets_string(vals, vals_size);
+	}
+
+	return additional;
+}
+#endif
+
+#ifdef HAVE_PAM
+void *pam_get_brackets_string(struct cfg_st *config, const char *str)
+{
+	subcfg_val_st vals[MAX_SUBOPTIONS];
+	unsigned vals_size, i;
+	pam_cfg_st *additional;
+
+	additional = talloc_zero(config, pam_cfg_st);
+	if (additional == NULL) {
+		return NULL;
+	}
+
+	/* new format */
+	vals_size = expand_brackets_string(config, str, vals);
+	for (i=0;i<vals_size;i++) {
+		if (c_strcasecmp(vals[i].name, "gid-min") == 0) {
+			additional->gid_min = atoi(vals[i].value);
+			if (additional->gid_min < 0) {
+				fprintf(stderr, "error in gid-min value: %d\n", additional->gid_min);
+				exit(1);
+			}
 		} else {
 			fprintf(stderr, "unknown option '%s'\n", vals[i].name);
 			exit(1);
 		}
 	}
-	free_expanded_brackets_string(vals, vals_size);
-	return additional;
 
-	}
+	free_expanded_brackets_string(vals, vals_size);
 	return additional;
 }
 #endif