Hi,
So, for exemple, SSID-Corp-Employee is only accessible to a certain users, member of ADgroupA , and SSID-Corp-Direction, only accessible to users, member of ADgroupB
When only authenticating with 1 single AD group, there is no problem, the :
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --require-membership-of=GALAXY\rad01 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re sponse}:-00}"
dont do that. leave authentication alone and use authorization so, use simple LDAP check to verify if someone can connect - this scales because you match the SSID to the LDAP group..so , configure the LDAP module so it can query your LDAP (which is AD) for the users group and then if ( ldap_stuff_here != &Called-Station-SSID) { reject } LDAP stuff can either be an LDAP-Group call or a %{ldap:} call. basically, get value from LDAP and check against that supplied in the RADIUS request alan