If anyone cares, I got this working by calling a script that contained the following:
#!/bin/sh for T in $(wbinfo --user-domgroups `wbinfo -n $1`) ; do wbinfo -s $T | perl -ne 'chomp and print'; done Which outputs a string containing all the groups the username is a member of. I called the script from sites-available/default under post-auth like so: if (`/bin/sh /etc/freeradius/get_group.sh %{User-Name}` =~ /String.To.Match/) { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 456 } } This was frustrating to figure out, but a good learning experience. --Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html