I feel like jumping up and down after I got FreeRadius, samba winbind, XCA w/ ECDSA certs, Active Directory, and Ubiquiti Unifi all talking together.

Next problem, any valid account in ActiveDirectory will currently authenticate. How do I limit this to the members of a specific AD group?

One terrible way I had thought of was in in the post-auth module executing a bash script that does a quick LDAP search. Could anything bad happen from this?

EDIT

Here's a guide to getting it all to work! https://gist.github.com/exabrial/368c279aad65cefd8c5f

For now, you need to use rlm_ldap (which will be considerably faster than a bash script). We have discussed exposing winbind's APIs for group lookups, but you'd need to be using Samba 3.2.1 and a build of FreeRADIUS v3.1.x to take advantage of any features that were developed.

I'll leave you to look through (and complete) mods-available/ldap as the config file is pretty well documented. After you have it customised to your LDAP server, create a symlink from mods-available/ldap to mods-enabled/ldap to enable the module.

To perform group lookups you need to compare the LDAP-Group attribute with a value, and then make the decision to reject the user.

Something like:

if (LDAP-Group != 'my_group) {
    reject
}

...in the inner tunnel virtual server would work.