for example, if, on the current ACS server, i set the host where 'radtest' lives to...
"authenticate using" -> "RADIUS (Cisco aironet)",
...I get back the correct wireless vlan info. If I then set it to authenticate using "RADIUS (VPN 3000)", I don't get back the vlan info but the Cisco-AVPair = "shell:priv-lvl=15" response is present.
The "users" file will help you design such rules. First you might find useful to group your devices by IP addresses with the _huntgroup_ file. Then your rules in "users" might _look_like_: DEFAULT Huntgroup-Name == Aironet, Ldap-Group == Managers Tunnel-Private-Group-Id = "100" DEFAULT Huntgroup-Name == Aironet, Ldap-Group == Users Tunnel-Private-Group-Id = "101" DEFAULT Huntgroup-Name == VPN, Ldap-Group == Managers Tunnel-Private-Group-Id = "shell:priv-lvl=15" DEFAULT Huntgroup-Name == VPN, Ldap-Group == Users Tunnel-Private-Group-Id = "shell:priv-lvl=7" See in the doc/processing_users_file and the samples from the users file in the distro (first line in check-items, the following are reply attributes/value pairs). The doc/aaa.txt file is very valuable as well.
In addition, I'd like to determine how I can restrict access to specific groups through specific devices.
I'll be using both ldap and mysql for user info
See doc/rlm_ldap for ldap details. HTH, Thibault