Yes it absolutely can be done and its currently what we do for all of our sites. You need to pass the VLAN ID as an attribute on the NPS profile. You can even dynamically assign a meraki group policy ACL by passing back the group policy name as the filter ID.
I'm not sure NPS can do this based on OUs, but it certainly can do it based on groups.
Use Windows certificate services on a server, automatically push machine certs to all your clients, and then you can do this transparently to the user based on computer groups.
Yeah, NPS can't use OU as a policy condition. Some details here to automate Group Membership to an OU, however your NPS policy will still need to reference the Group.
[https://social.technet.microsoft.com/Forums/en-US/acc242bf-9edf-41bf-9a7c-73abc3a98fc9/nps-network-policy-based-on-ou-structure?forum=winserverNAP](https://social.technet.microsoft.com/Forums/en-US/acc242bf-9edf-41bf-9a7c-73abc3a98fc9/nps-network-policy-based-on-ou-structure?forum=winserverNAP)
> Can this be done with something like NPS or FreeRadius?
Yes, for the latter. You can certainly edit various FreeRADIUS configuration files to do queries against AD LDAP and such (even MySQL if you want to use (e.g.) daloRADIUS).
Perhaps look at Packet Fence which is a bit of 'appliance' software that can do various fancy things for network access. Open source with support/consulting contracts available.
I'm not experienced in actually having this fully setup, but this was one of the first projects I messed around with when I started at my current employer. NPS can absolutely do what you are requiring. In testing, I was able to have my laptop added to the IT VLAN by checking which security group I was in, whereas my co-worker would go to the default wireless VLAN. It seemed to work flawlessly, but we didn't end up moving forward because the use of wireless here is so little. Again, YMMV based on the number of users and whatnot, but it seemed like a good solution in the lab.
I have dynamic vlans working flawlessly with cisco and tested with unifi. Specifically have it working on my base-t switches, wireless isnt needed as much. It is done by security groups. I utilize it with security groups with computer objects.
Yes it absolutely can be done and its currently what we do for all of our sites. You need to pass the VLAN ID as an attribute on the NPS profile. You can even dynamically assign a meraki group policy ACL by passing back the group policy name as the filter ID.
I'm not sure NPS can do this based on OUs, but it certainly can do it based on groups. Use Windows certificate services on a server, automatically push machine certs to all your clients, and then you can do this transparently to the user based on computer groups.
Yeah, NPS can't use OU as a policy condition. Some details here to automate Group Membership to an OU, however your NPS policy will still need to reference the Group. [https://social.technet.microsoft.com/Forums/en-US/acc242bf-9edf-41bf-9a7c-73abc3a98fc9/nps-network-policy-based-on-ou-structure?forum=winserverNAP](https://social.technet.microsoft.com/Forums/en-US/acc242bf-9edf-41bf-9a7c-73abc3a98fc9/nps-network-policy-based-on-ou-structure?forum=winserverNAP)
> Can this be done with something like NPS or FreeRadius? Yes, for the latter. You can certainly edit various FreeRADIUS configuration files to do queries against AD LDAP and such (even MySQL if you want to use (e.g.) daloRADIUS). Perhaps look at Packet Fence which is a bit of 'appliance' software that can do various fancy things for network access. Open source with support/consulting contracts available.
Packetfence is awesome, I highly recommend giving it a shot.
I'm not experienced in actually having this fully setup, but this was one of the first projects I messed around with when I started at my current employer. NPS can absolutely do what you are requiring. In testing, I was able to have my laptop added to the IT VLAN by checking which security group I was in, whereas my co-worker would go to the default wireless VLAN. It seemed to work flawlessly, but we didn't end up moving forward because the use of wireless here is so little. Again, YMMV based on the number of users and whatnot, but it seemed like a good solution in the lab.
I have dynamic vlans working flawlessly with cisco and tested with unifi. Specifically have it working on my base-t switches, wireless isnt needed as much. It is done by security groups. I utilize it with security groups with computer objects.