We are working on integrating out new AD environment into the CPPM.
I would like to change the way that we do our Role Mappings and Enforcement.
We are using EAP-MSCHAPv2 to do all our of domain user and domain computer authentication.
Computer authentication provides a user-role that has limited access to the network.
User authentication changes the user-role to provide additional network access.
We have some computers that need to be placed into different subnets. We are currently accomplishing this using a combination of Role Mappings. We assign the roles based on a custom attribute that we apply to the device in the Endpoints database. We went this route in the beginning because very earlier on we were having a lot of issues with machine authentication and after we fixed that, we never really adjusted any of our rules.
I have been thinking about using AD groups to organize the machines going forward and doing Role Mappings based on those group memberships.
I am just curious if this is a good approach or if there are better practises that I should be following.
Cheers