hi jrwhitehead,
dot1x-servergroup with SDR's to derive ROLE/ VLAN/ RBV's. you can make your radius servers return a unique string based on the user-groups (say Filter-id "123" for group1 or "456" for group2) from the access-policy , and use this as matching condition in SDR. or can directly return different VSAs based on each-group ( if you dont want to use SDR) from the RADIUS server.
ex:
string matches condition1 -- derive Role-x / vlan-x
string matches condition 2 -- derive Role-y / vlan-y
consider valn-z is vap-vlan / vlan derived from UDR or MAC auth.
possible scenarios :
1. when client passes machine-auth (Intermittent state) , it will be placed in default-vlan( vlan z) from VAP / vlan derived from UDR's or Mac-auth (if configured) : but not with SDR's / VSA's / MSFT-attributes returned by RADIUS server during Machine-auth.
2. When client passess both machine and user-auth + hits configured ServerDerivationRule / recieves VSA or MSFT from radius server : then client is placed in respective derived user-role / derived vlan (say vlan x or vlan y)
3. When client fails Machine-auth + passess user-dot1x (and hits SDR / RADIUS server returned VSA / MSFT) : client is not honored with derived user-roles / derived-vlans from SDRs / VSAs or MSFT. instead client is placed in default machine-user-role (configured in dot1x profile) , and the vlan ( vlan z) which is either VAP-vlan / vlan-derived from UDR or Mac-auth (if configured)
So the vlan z should be restricted vlan ; and non-domain clients will be placed in these vlans (the clients which are failing machine-auth)
And if you want to force the clients everytime to authenticate with particular-server in a server-group ; you can very well use match-fqdn option in the server-group.