Automate an export of the list of WiFi MAC addresses of your managed computers from the DC. Then in post-auth, query that list (we use an SQL database) and use the result to alter the tunnel-group-ID sent back in the outer reply. Users can spoof their MAC addresses, of course, but as long as you are doing this mainly to contain contagion rather than high security, it is satisfactory.
The other option in a managed environment is of course to use TLS for the managed computers and install certs. You could even embed the MAC address into the cert and check that that matches the Calling-Station-ID. Still spoofable, of course, but barring a hardware crypto solution, everything is to a pro. ________________________________________ From: freeradius-users-bounces+bjulin=clarku....@lists.freeradius.org [freeradius-users-bounces+bjulin=clarku....@lists.freeradius.org] On Behalf Of McSparin, Joe [jmcspa...@hillcountrymemorial.org] Sent: Tuesday, December 27, 2011 5:51 PM To: FreeRadius users mailing list Subject: Domain Group Authentication I currently have FreeRadius setup to authenticate agains Active Directory and it works great. I was wondering though for everyone out there using it if you had any reccomendations for this scenario: I have users that will connect wirelessly using their NT domain username and password on the hospitals wireless devices. I also however have doctors that will bring in their own laptops and connect. When they connect with their laptops though I do not want them to have the same privileges as when they connect on the hospital wireless devices. If they are connecting with their laptops even though they use their Ntdomain user name and password I want to restrict them to a public vlan. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org ________________________________ This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html