So multi-building, multi-campus environment here.
I have had a web/MAC auth service up and running for our guest/legacy device network. It states the following:
OPENSSID-ROLE
1. (Endpoint:Username EXISTS ) [MAC Caching]
2. (Authentication:Source EQUALS [FACSTAFF AD]) [Facstaff]
3. (Authentication:Source EQUALS [MISC USERS MSSQL]) [SQL]
4. (Authentication:Source EQUALS [STUDENT AD]) [Student]
5. (Authentication:Source EQUALS [Guest User Repository]) [Guest]
ENFPOLICY
1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 3) [Deny Access Profile]
2. (Tips:Role EQUALS [Facstaff]) AND (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS1) [CAMPUS1 Guest Role], MACAUTHSTUFF
3. (Tips:Role EQUALS [Student]) AND (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS1) [CAMPUS1 Guest Role], MACAUTHSTUFF
4. (Tips:Role EQUALS [Guest]) AND (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS1) [CAMPUS1 Guest Role], MACAUTHSTUFF
5. (Tips:Role EQUALS [Facstaff]) AND (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS2) [CAMPUS2 Guest Role], MACAUTHSTUFF
6. (Tips:Role EQUALS [Student]) AND (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS2) [CAMPUS2 Guest Role], MACAUTHSTUFF
7. (Tips:Role EQUALS [Guest]) AND (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS2) [CAMPUS2 Guest Role], MACAUTHSTUFF
8. (Tips:Role EQUALS [SQL]) AND (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS2) [CAMPUS2 SQL Role], MACAUTHSTUFF
My issue is the following. The SQL auth source contains a subset of users that rent spaces from us for six or so months at a time. I want to be able to web/MAC auth (we require re-logins every 8 hours) them like I do everyone else, but I only want them to be able to do their initial login from two buildings in particular (where they rent space). I copied my original service, moved the copy above the original, and put a Radius:Aruba Aruba-AP-Group EQUALS BUILDING-AP-GROUP in the service.
I haven't enabled the service yet, but my first thought is that users from all auth sources go into BUILDING-AP-GROUP. If they hit my newly created service, they'll just fail auth I think and never roll down to the next (original) service where they would normally work.
Thoughts?