> What is added to the user file for this? Is it similar to below: Do you need those reply attributes returned? If not, you may not need anything in the users file. I don't have anything in mine, but I'm not using radius for dial-up/PPP.
> Can I simply use the: --require-membership-of='DOMAIN\Group' > option of ntlm_auth to accomplish the the group check? I've used this option manually with clear-text passwords, but I haven't tried it from mschap in FR. Does it work for you when you run ntlm_auth from a shell prompt? If you can't get it to work from mschap, you can have LDAP get the user's group memberships by adding a checkItem to ldap.attrmap. In our environment, the groups to which a user is a member are stored in the memberOf LDAP attribute. So, I have the following in my ldap.attrmap file: checkItem Ldap-Group memberOf Then, ensure ldap is in your authorize section. This checkItem will cause ldap to create one Ldap-Group check attribute for each group to which the user is a member. In the past, I have successfully used checkval to do the comparison. The checkval module compares a request attribute to a check attribute. If your group name isn't in a request attribute, you can use attr_rewrite to add a request attribute with the group name you desire to test against. You would then put checkval after the attr_rewrite and ldap modules in authorize. I'm currently using perl to do authorization because of the flexibility it affords. (In my case, depending upon the Huntgroup-Name, the group membership requirement varies. Also, for some Huntgroups, I allow several groups and I return a custom reply attribute that specifies the user's privilege level based on which group they were a member.) If you use perl, you wouldn't need attr_rewrite or checkval. I haven't been using FR for very long so this may not be the best approach. However, I'm sure others will chime in if there are better alternatives. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
