Checking SSID via A/D Group

[Garber, Neal]

>> FreeBSD with OpenSSL 0.9.7d-p1 17 and Samba 3.0.20b.  If the server
is
>> joined to an
>> Active Directory domain, would it be possible to not just
authenticate
>> user/pwd through
>> Samba, but also to check for Windows group membership based upon the
>> SSID

>  Yes.  For the purposes of group checking, AD is just an LDAP
>directory.  You should be able to edit the LDAP group membership
>checks to do this.

Thank you for your quick response Alan.  I'm currently using 802.1x with
eap-peap and mschapv2 to a Cisco ACS to authenticate WinXP 802.11 users.
Would I use eap-peap/mschapv2 and LDAP within FR to do the
authentication and will this also support changing AD passwords when
they are expired?

Also, I've done some google searches and I read the rlm_ldap doc.  I
found examples on how to do checking for a static LDAP group, but can't
find any examples on how to check for a dynamic group name.  

Can you give me an example of checking AD group membership, using
rlm_ldap, where the group varies based upon the NAS group and literal
string + attribute value?  For example: for NAS group "mobile", user
must be a member of "Mobile Users" group; for NAS group "APs" and
cisco-av-pair request attr. == "ssid=myssid", the user would need to be
a member of "Wireless myssid Users" group in AD (if the attribute isn't
present, then reject).  If this is possible, can you give me an example
of how this would be done?

Thanks again for your assistance.