Cisco AP 1240AG - PEAP/MSCHAPv2 with ntlm_auth

[Konne]

hi

my situation:

ive Windows 2003 Server Domaincontrollers. i use freeradius who 
authenticates the clients in the domain with ntlm_auth. only users they 
will be in the group "wireless" have access to the wireless:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} 
--challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00} 
--require-membership-of=DOMAIN\\WIRELESS"

my question is now:
how can i realize that ive 2 ssid, one ssid=administrators, and the 
other ssid=users,
i omit the "--require-membership-of=DOMAIN\\WIRELESS" on the ntlm 
authentication and make two groups in the active directory:
-- wireless_admin  -  ssid1=adminis
-- wireless_users  -  ssid2=users

when the user is a member of admins he become the vlan and the ssid for 
Administrators,
and when the user is a member of users he become the vlan and the ssid 
for Users.

is that possible to configure it in the "/etc/raddb/users" like 
following, but without user1, instead of this a group...

user1    Auth-Type := EAP
           Cisco-AVPair := "ssid=admins",
           Tunnel-Medium-Type = IEEE-802,
           Tunnel-Private-Group-Id = 2,
           Tunnel-Type = VLAN

user2    Auth-Type := EAP
           Cisco-AVPair := "ssid=users",
           Tunnel-Medium-Type = IEEE-802,
           Tunnel-Private-Group-Id = 3,
           Tunnel-Type = VLAN

somone has experience to associate ntlm and group differentiation...
and how can i do that the Admins can also login via shell, and the user 
only authentication no shell or something like that?

thx Konne