Dead easy - and stable like hell - and easy to troubleshoot - and you can also use radiusproxy to authenticate users from other ad domains.
On the Windows Server..
1. Install IAS on your Server2003 Memberserver or on Domaincontroller
2. Register your IAS in your AD (rightklick on the mmc on IAS to do that)
3. Add your IVE internal IP Address as Radius Client to IAS. configure Radius shared secret.
4. Configure RAS Policy on IAS
Select "Windows Group" like "Management Users" (or even "Domain Users" for testing)
5. On IAS RAS Policy, Profile.. Advanced delete all Attributes.
Add attribute Class (25) with a Value like for example "1"
6. Restart IAS Server each time you change the configuration
7. Configure additional RAS Policies, for the "Stuff Users" in this example. Give Attribute "Class" the Value "2"
1. configure Auth.Server "Radius". Configure Shared Secret (same like on IAS) and IAS IP-Address
2. Configure your userroles like "Management Users" and "Stuff Users"
3. On Realm Level, configure Rolemapping Rules
3.a. IF User attribute Class (25) is "1" then assign Role "Management Users"
3.b. IF User attribute Class (25) is "2" then assign Role "Stuff Users"
If a user logs in to IVE, the credentials of the user are transmitted encrypted to the IAS Radius Server.
The Radius Server proves in AD if the usercredentials are ok and if the user is in the configured windows group.
If the user is member of the group "Management Users", this RAS Policy will match, and the IAS will send a "RAdius Accept" Message back to IVE. PLUS the IAS will send Attribute "Class" with Value "1" to IVE.
Then the IVE will match the user to the role "Management Users" because of the Value of Variable Class.
Why is this the best solution?
The IVE AD integration works with winbind. This is much more complicated and "more things can go wrong".
When you use AD for Authentication and Groupmembership, you have to use Global Catalog on IVE.
With Radius you have a dead easy, stable and scalable solution.
You can also easily use your IAS as RadiusProxy and also integrate Users from other Windows Domains, according to their "prefix" on logon, for example domain1\username and domain2\username.
You can troubleshoot the process easily via Windows System Events Log.
You can also use policytracer, tcpdump and network monitor to see which attributes the IAS is returning.
I installed several SAs and tried everything out, also did AD Authentication, but my expirience is - go with Radius and it will be done fast and with much less headache.