MAC Auth Bypass and LDAP

[Brendan Kearney]

i have RADIUS authN and authZ using kerberos and ldap working in my
environment.  from here i want to add MAC Auth Bypass and finally
full .1x when i get a CA up and running.  i plan to have MAC Auth Bypass
as an interim solution, and will leave it in place when full .1x is
running as a fallback method.  i would like to get dynamic vlan
assignment configured too.  with that said, i am not sure of a few
things.

i am running v3.0.3 on Fedora 20.  i have found the wiki article for MAC
Auth, but that is for v2.x and a lot has changed from v2 to v3.  because
i am looking to leverage ldap lookups for MAC Auth Bypass, the info in
the wiki does not seem applicable.  where do i start looking for info
around MAC Auth Bypass and ldap?  the ldap module does not have anything
that i am able to see as appropriate.  i would like to avoid using the
files module, as the mac address info, etc is in my ldap already.

once i get MAB working, i want to begin assigning the VLAN based on MAC
class or address.  is the MAC the right data point to make that
determination?  i see the desire to have full .1x use dynamic VLAN
assignment, too, so i want to make sure the decisions are not counter to
each other.

i am ultimately looking to have full .1x, with MAC Auth Bypass as a
fallback, and in either case (or both, if that could/should be) have the
VLAN assigned based on the outcome of the auth (or auth bypass).  my
logic would be:
if the device passes .1x, the device is assigned to VLAN_X.
if the device fails .1x, the device is assigned to VLAN_Z.
if the device cannot do .1x, and passes MAC Auth Bypass (i.e. the MAC is
known and is in ldap), the device is assigned to VLAN_Y.
if the device cannot do .1x and fails MAC Auth Bypass, the device is
assigned to VLAN_Z.

since full .1x is not going to be turned up right now, the last two
pieces of the logic are what i am looking to pursue at this point.  any
pointers on where to start would be appreciated.