Yohoo! >LDAP advantage is that you can get more information out of >the AD...which is what io believe is the desire in this case
Gotcha! :) My google-searches hat driven me into the direction to use _only_ ntlm_auth for authentication vs. AD. Meanwhile I had also triggered out the needed groups-settings. Just for completeness the settings for the groups: ----snip------- /etc/raddb/radiusd.conf [...] groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{Ldap-UserDn}))(& (objectClass=top)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = memberOf [...] ----snip------- /etc/raddb/users DEFAULT Ldap-Group == "Cisco-RW" Auth-Type := LDAP DEFAULT Ldap-Group == "Cisco-RO" Auth-Type := LDAP DEFAULT Auth-Type := Reject Reply-Message = "No access." ----snip------- Works fine here. Is there the need of a short howto for the doc/ ? Greets Christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html