must i use rlm_ldap to use groups/ou via winbind/Active Directory?

[Ivan Kalik]

> Problem:
>
> I want to enforce different access policies for users depending on who
> they are and where they try to authenticate.
>
> (1) If students or teachers try to authenticate on the wired lan I
> want my dot1x capable NAS to provide access only  if they user has a
> computer cert and valid domain credentials

You enforce computer authentication on your hardware. If there is no mac
auth bypass computer certificates will have to be used.

Numbers of users should determine which policy (let's call this one
wired_vlan) should go first.

> (2) If students try to connect via the student wireless lan they must
> only receive access if they are a member of the Active Directory based
> "student wireless users group", e.g. no staff member should be able to
> join.

This is straightforward use of huntgroups/sqlhuntgroups in combination
with Ldap-Group (your AD should be configured in ldap module).

> (3) If teachers try to connect via the teacher wireless lan, I want
> them to connect only if they HAVE a computer cert AND they have valid
> credentials. e.g only members of the Active Directoy based "staff
> group" using computers with a valid host credential may receive
> access.

This combination of two above.

Create huntgroups/sqlhuntgroups wired_vlan, student_vlan and teacher_vlan.
Then put this in authorize (inner-tunnel, where ldap + preprocess is
enabled if you are using huntgrups file or you have ldap + unlang
statements described in sql huntgroups howto):

if(Huntgroup-Name == "student_vlan" && Ldap-Group == "student") {
     ok
}
elsif(Huntgroup-Name == "wired_vlan") {
     ok
}
elsif(Huntgroup-Name == "teacher_vlan" && Ldap-Group == "staff") {
     ok
}
else {
     reject
}

That will allow only users with valid credentials accessing with stated
vlans or vlan/group combinations.