Hi all, I am gradually refining my thinking thanks to help from Ivan and others on the list.
I am using the current freeradius stable along with Active Directory to provide dot1x based access for our school district. Our test setup looks like this: active directory <=>winbind<=> Freeradius<=>NAS<=>supplicant Problem: I want to enforce different access policies for users depending on who they are and where they try to authenticate. (1) If students or teachers try to authenticate on the wired lan I want my dot1x capable NAS to provide access only if they user has a computer cert and valid domain credentials (2) If students try to connect via the student wireless lan they must only receive access if they are a member of the Active Directory based "student wireless users group", e.g. no staff member should be able to join. (3) If teachers try to connect via the teacher wireless lan, I want them to connect only if they HAVE a computer cert AND they have valid credentials. e.g only members of the Active Directoy based "staff group" using computers with a valid host credential may receive access. One solution would be two have two different radius servers, and point different NAS clients at the appropriate server, but I this is probably not the "right" way to do this. Ideally, I should be able to do it all from a single radius server with appropriate controls. I see that in the past folks have done similar things with openLdap and freeradius. But I think that using winbind may have changed this for users of Active Directly. I am not sure how to proceed. I would appreciate any guidance you wish to share. Thanks! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html