You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly:
DEFAULT NAS-Port-Type == "Wireless-802.11", Ldap-Group == "Students" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN
DEFAULT NAS-Port-Type == "Wireless-802.11", Ldap-Group == "Staff" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN
The doc. states that LDAP only supports PAP. Is this a problem given he said he's using PEAP/MSCHAPv2? How would LDAP do the authentication if it doesn't have a clear text password? Or is the approach to use MSCHAPv2 for authentication and then LDAP for authorization?? Thanks for helping me better understand...