must i use rlm_ldap to use groups/ou via winbind/Active Directory?

[john]

.
>
> That depends on capabilities of your equipment. This how Cisco implements it:
>
> www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
>
> Other vendors have more on less the same. It is enabled on some models and
> not on others.

Thanks for this.
>
>> So this policy would check the huntgroup that the NAS was a member of
>> and then go on to check if the users was part of the proper
>> Ldap-Group and assuming that both were true then access would be
>> granted. I am still not clear how  some hunt groups will always
>> require a host cert and others never will. Is this set in the hunt
>> group?
>
> No, on the equipment. Your setup is such that you have to enforce
> (enable/disable) it on hardware. If you would require certificates for
> access to all hardware you could enforce it with AD Group Policy. Like
> this students don't need machine certificates for wireless access. So, you
> should enable mac auth bypass on your student APs. Most APs should have
> such feature.You should make students register mac address of their
> wireless equipment if they want to connect.

Hmm. I don't think I like this approach for a couple of reasons,
perhaps you can let me know if I am
thinking about this incorrectly.

We already use mac address as an auth scheme and I want to move away
from this because of the ease of mac spoofing in a wireless
environment. That's why I hoped to move to username/password
authentication with WPA2 that was centrally managed via freeradius <=>
Active Directory.

I currently  have a fairly central way to manage access by mac, but I
would have to give that up if I had to maintain a mac address table on
each NAS. I guess I could add a list of allowed mac addresses in the
freeradius/users file and maintain it from there?

Just so I understand you clearly, we can't have 1 class of users who
must use host certs via NAS A and another class of uses who never have
to use certs via  NAS B on the same freeradius  server?

 If that is the case I think I might want to set up a second instance
of Freeradius and point the NAS that don't require host certs at that
one. I could simply mint another virtual freeradius instance in
freeradius/sites-enabled couldn't I?

If I have this all muddled up, I hope you'll straighten me out.

Thanks for all of your help.

John