--- ../pam_radius-1.3.17 (2)/pam_radius_auth.c	2007-03-26 11:36:13.000000000 +0200
+++ pam_radius_auth.c	2011-01-03 15:02:27.811496770 +0100
@@ -143,7 +143,8 @@
     } else if (!strcmp(*argv, "debug")) {
       ctrl |= PAM_DEBUG_ARG;
       conf->debug = 1;
-      
+    } else if (!strncmp(*argv, "filter_id=",10)) {
+      conf->filter_id = (char *) *argv+10;
     } else {
       _pam_log(LOG_WARNING, "unrecognized option '%s'", *argv);
     }
@@ -705,6 +706,8 @@
   gethostname(hostname, sizeof(hostname) - 1);
 
   request->length = htons(AUTH_HDR_LEN);
+  
+  //_pam_log(LOG_ERR, "RADIUS %s", password);
 
   if (password) {		/* make a random authentication req vector */
     get_random_vector(request->vector);
@@ -1191,6 +1194,7 @@
     attribute_t *a_state, *a_reply;
     char challenge[BUFFER_SIZE];
 
+
     /* Now we do a bit more work: challenge the user, and get a response */
     if (((a_state = find_attribute(response, PW_STATE)) == NULL) ||
 	((a_reply = find_attribute(response, PW_REPLY_MESSAGE)) == NULL)) {
@@ -1228,9 +1232,40 @@
 
     DPRINT(LOG_DEBUG, "Got response to challenge code %d", response->code);
   }
+  
+  int FILTERGROUP_SUCCESS = 1; // to ensure that access is granted even without filter-id groups
+
+  /* Auslesen Filter-Id */
+  if (config.filter_id != NULL) {
+    FILTERGROUP_SUCCESS = 0;
+    int j, i=0;
+    char *token[20]; 
+    token[0] = strtok(config.filter_id, ","); // generate token list
+    while(token[i] != NULL) {
+      i++;
+      if (i==20) {
+        _pam_log(LOG_WARNING, "Too many filter-id tokens");
+        break;
+      }
+      token[i] = strtok(NULL, ",");
+    }
+    attribute_t *a_11;
+    a_11 = find_attribute(response, PW_FRAMED_FILTER_ID); // get filter-id attribute
+    if (a_11 != NULL) {
+      char *filterid = strndup(a_11->data, a_11->length-2); // don't ask me, function add_attribute defines data length +2 as total size of the attribute
+      for (j=0; j<i; j++) {
+        if (strcmp(token[j],filterid) == 0) { // break as soon one filter-id is identical to the attribute response
+          FILTERGROUP_SUCCESS = 1;
+          break;     
+        }
+      }
+    }
+  }
+
+  DPRINT(LOG_DEBUG, "RADIUS FILTERGROUP_SUCCESS: %d", FILTERGROUP_SUCCESS);
 
   /* Whew! Done the pasword checks, look for an authentication acknowledge */
-  if (response->code == PW_AUTHENTICATION_ACK) {
+  if (response->code == PW_AUTHENTICATION_ACK && FILTERGROUP_SUCCESS == 1) {
     retval = PAM_SUCCESS;
   } else {
     retval = PAM_AUTH_ERR;	/* authentication failure */
