I have successfully configured freeradius to authenticate against AD using the winbind socket (not the ntlm_auth command). I find myself needing to also authorize based on AD group membership, more precisely based on negative group membership (We maintain a "deny wireless" group). It seems like I could use the LDAP module and test for the group there, but I noticed that the ntlm_auth command supports some notion of group checking through the '--require-membership-of=STRING' option. It follows that winbind has access to AD groups and could be used to check. I haven't been able to find any guidance on the freeradius.org documentation site, so I was wondering if there is a preferred method for AD-based group checking when using winbind. -- Munroe Sollog Senior Network Engineer munroe@lehigh.edu