Not sure I have much to add here. I administer an AD2000 network and wanted to get the zeroshell to autheticate from Keberos. I created slave zones of the forward and reverse parts of the AD dns servers on the local dns server, and then set the keberos domain. It works rather well, except that it gives everyone with an account on the AD access to the wireless lan, something which at times I don’t want.
If you have active directeroy, then each server is also a Radius server. With version beta6 you can create a proxy radius server entry under Radius and then use it as a database against which to autheticate your users. The advantage in AD2000 is that you can restrict those with access to your wireless lan by membership of a user group.
My only problem is that users had been told to login using the email@example.com form of their username, which works fine with Keberos, but not with radius, which prefers username. I switched back to Keberos because a lot of our users were not getting thru using radius. Just a matter of user education…
I have to say that ZeroShell is a wonderful piece of software, that does what NoCat does in a far more effective way. Support for mac address bypass, and opening preauth ports for those wanting to use our proxy servers has made a major difference, and the takeup on our WLAN has been much better this year. It also supports No-Nat routing, which is quite important for network access, as well as auditing Internet usage.