diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
index be7d1affd1..eb488f57d5 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
@@ -65,4 +65,10 @@
         <type>text</type>
         <help>Filter for group objects, should match all available group objects a user might be a member of.</help>
     </field>
+    <field>
+        <id>ldap.group_membership_mode</id>
+        <label>Group Membership Mode</label>
+        <type>dropdown</type>
+        <help>How FreeRADIUS checks LDAP group membership. Use "member filter" for Active Directory or Samba 4 with nested groups (uses LDAP_MATCHING_RULE_IN_CHAIN OID for transitive lookup).</help>
+    </field>
 </form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
index 67cffa256e..90c3a12c27 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/ldap</mount>
     <description>LDAP configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <innertunnel type="BooleanField">
             <Default>0</Default>
@@ -47,5 +47,13 @@
             <Default>(objectClass=posixGroup)</Default>
             <Required>N</Required>
         </group_filter>
+        <group_membership_mode type="OptionField">
+            <Default>attribute</Default>
+            <Required>Y</Required>
+            <OptionValues>
+                <attribute>memberOf attribute (POSIX / flat groups)</attribute>
+                <filter>member filter (Active Directory / Samba 4 nested groups)</filter>
+            </OptionValues>
+        </group_membership_mode>
     </items>
 </model>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
index f45a9d389d..7cf7543473 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
@@ -85,7 +85,11 @@ ldap {
 {%     if helpers.exists('OPNsense.freeradius.ldap.group_filter') and OPNsense.freeradius.ldap.group_filter != '' %}
                 filter = "{{ OPNsense.freeradius.ldap.group_filter }}"
 {%     endif %}
+{%     if helpers.exists('OPNsense.freeradius.ldap.group_membership_mode') and OPNsense.freeradius.ldap.group_membership_mode == 'filter' %}
+                membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
+{%     else %}
                 membership_attribute = 'memberOf'
+{%     endif %}
         }
         profile {
         }