== Authentication with orbit LDAP and freeradius3 ==

* install freeradius 3, and freeradius-ldap
* we'll only touch the following files:
  * symlink mods-avalable/ldap to mods-enabled/ldap
  * edit mods-enabled/ldap
  * edit sites-enabled/default
  * edit sites-enabled/inner-tunnel

* ldap control mapping of radius attributes to ldap ones
* sites-enabled/default post-auth sections sets policy

* send semicolon separated list of groups to pfsense 
{{{

foreach &control:Ldap-Group {
    update reply {
        Class += "%{Foreach-Variable-0};"
    }
}
}}}
* set allowed groups
{{{
#allow only users of following groups to authorize
if (LDAP-Group == sysadmin) {
    noop
}
elsif (LDAP-Group == vpnuser) {
    noop
}
else {
    reject
}
}}}