> Problem: > > I want to enforce different access policies for users depending on who > they are and where they try to authenticate. > > (1) If students or teachers try to authenticate on the wired lan I > want my dot1x capable NAS to provide access only if they user has a > computer cert and valid domain credentials
You enforce computer authentication on your hardware. If there is no mac auth bypass computer certificates will have to be used. Numbers of users should determine which policy (let's call this one wired_vlan) should go first. > (2) If students try to connect via the student wireless lan they must > only receive access if they are a member of the Active Directory based > "student wireless users group", e.g. no staff member should be able to > join. This is straightforward use of huntgroups/sqlhuntgroups in combination with Ldap-Group (your AD should be configured in ldap module). > (3) If teachers try to connect via the teacher wireless lan, I want > them to connect only if they HAVE a computer cert AND they have valid > credentials. e.g only members of the Active Directoy based "staff > group" using computers with a valid host credential may receive > access. This combination of two above. Create huntgroups/sqlhuntgroups wired_vlan, student_vlan and teacher_vlan. Then put this in authorize (inner-tunnel, where ldap + preprocess is enabled if you are using huntgrups file or you have ldap + unlang statements described in sql huntgroups howto): if(Huntgroup-Name == "student_vlan" && Ldap-Group == "student") { ok } elsif(Huntgroup-Name == "wired_vlan") { ok } elsif(Huntgroup-Name == "teacher_vlan" && Ldap-Group == "staff") { ok } else { reject } That will allow only users with valid credentials accessing with stated vlans or vlan/group combinations. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html