The LDAP queries are against the AD server, btw. I forgot to paste the mschap module config, but that's pretty basic...
mschap mschap_cuesta { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=CUESTA --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html