i have RADIUS authN and authZ using kerberos and ldap working in my environment. from here i want to add MAC Auth Bypass and finally full .1x when i get a CA up and running. i plan to have MAC Auth Bypass as an interim solution, and will leave it in place when full .1x is running as a fallback method. i would like to get dynamic vlan assignment configured too. with that said, i am not sure of a few things. i am running v3.0.3 on Fedora 20. i have found the wiki article for MAC Auth, but that is for v2.x and a lot has changed from v2 to v3. because i am looking to leverage ldap lookups for MAC Auth Bypass, the info in the wiki does not seem applicable. where do i start looking for info around MAC Auth Bypass and ldap? the ldap module does not have anything that i am able to see as appropriate. i would like to avoid using the files module, as the mac address info, etc is in my ldap already. once i get MAB working, i want to begin assigning the VLAN based on MAC class or address. is the MAC the right data point to make that determination? i see the desire to have full .1x use dynamic VLAN assignment, too, so i want to make sure the decisions are not counter to each other. i am ultimately looking to have full .1x, with MAC Auth Bypass as a fallback, and in either case (or both, if that could/should be) have the VLAN assigned based on the outcome of the auth (or auth bypass). my logic would be: if the device passes .1x, the device is assigned to VLAN_X. if the device fails .1x, the device is assigned to VLAN_Z. if the device cannot do .1x, and passes MAC Auth Bypass (i.e. the MAC is known and is in ldap), the device is assigned to VLAN_Y. if the device cannot do .1x and fails MAC Auth Bypass, the device is assigned to VLAN_Z. since full .1x is not going to be turned up right now, the last two pieces of the logic are what i am looking to pursue at this point. any pointers on where to start would be appreciated.