Hello mailing list! I have tried to search the archive and the web for the answer to my question but I am unable to find the answer..... I'm sure someone here has run into this before. I am attempting to setup the good old freeradius + active directory + access point to get peap going scenario. I have freeradius setup fine to use ldap to auth the user, and it works. I am attempting to setup finer access control (well really simple) to check if the user is a member of a group before allowing access. Here are some configs: radiusd.conf ldap { server = "domaincontroller.my.domain.com" identity = "adreader" password = "test1234" basedn = "cn=users,dc=my,dc=domain,dc=com" filter = "(sAMAccountName=%u)" port = 636 start_tls = no tls_mode = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_attribute = "memberOf" timeout = 4 timelimit = 3 net_timeout = 1 } In my users file all I have is: DEFAULT Ldap-Group == "badgroup", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have access" When I use NTRadPing to test with a user that is in "badgroup" I still get an Access-Accept back. I can do an ldap search using the groupmembership_filter and I get back all the groups my test user is in so I know that isn't the problem. Of course when I do my search I replace the %{Ldap-UserDn} with the actual "cn=username,<what I have for basedn>" Also I have the groupmembership_attribute defined because from what I gather from the docs, it is used if the groupmembership filter fails. Anywho, when I send an auth request while watching the debug output I don't see anything about checking for group/groupmembership/etc. If I change my filter "filter = "(sAMAccountName=%u)" to also check for the group name, everything will work, but of course I would like to use the users file. I've got TLS set to no and port set to 636 because I am using a crap-tacular windows 2000 domain, which doesn't support TLS :-( I think I am missing something or something isn't quite right. Anyone have any ideas, or has anyone gotten ldap group checking to work against active directory?? Thanks -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309