<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Yes, RADIUS via Microsoft IAS.<div><br></div><div>Access could be controlled at the network layer via group policy if you have devices that can do the gating (eg. Airport Extreme).</div><div><br></div><div>Another way of achieving what you want is to use some kind of loginhook to test group membership of the connecting person.</div><div><br></div><div>If you use the active directory plugin then users arrive on the box with all their group information in the user record. For instance on the student file server (OS X.5 in AD)</div><div><br></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">fileserver:~ mylogin$ id <br>uid=1836357057(mylogin) gid=1522854277(EC\domain users) groups=1522854277(EC\domain users)<br>1194167463(EC\tamakilabs.fos)<br>1534136336(EC\dialin.itss)<br>1486277511(EC\student.psrwi)<br>.<br>.<br>.<br>760710041(EC\wifiaccess)<br>1474264128(EC\statlabs.fos)<br>304261082(EC\ecwiki)</blockquote><div><br></div><div>Note, I have tidied up the output a bit, the groups come as a comma separated list. It would not be too difficult to look for a particular group membership in the list and act on the presence or lack of such memberships. eg:</div><div><br></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">#!/bin/tcsh -f</blockquote><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><br></blockquote><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">#<span class="Apple-tab-span" style="white-space:pre"> </span>assumes that this is being run as part of the log in process</blockquote><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">#<span class="Apple-tab-span" style="white-space:pre"> </span>and the user has been authenticated, and we have access to</blockquote><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">#<span class="Apple-tab-span" style="white-space:pre"> </span>group data via LDAP, AD etc. $1 should contain the login</blockquote><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">#<span class="Apple-tab-span" style="white-space:pre"> </span>name -what you would expect in a login hook<br><br>set MUSTBEAMEMBER = DOMAIN\\canlogon<span class="Apple-tab-span" style="white-space:pre"> </span># check this carefully<br>set ALLOWLOGIN = no<br><br>foreach thegroup (`id -nG $1`)<br><span class="Apple-tab-span" style="white-space:pre"> </span>if ($thegroup = $MUSTBEAMEMBER) then<br><span class="Apple-tab-span" style="white-space:pre"> </span>set ALLOWLOGIN = yes<br><span class="Apple-tab-span" style="white-space:pre"> </span>endif<br>end<br><br>if ($ALLOWLOGIN = no) then<br><span class="Apple-tab-span" style="white-space:pre"> </span>logout<br><span class="Apple-tab-span" style="white-space:pre"> </span>exit 1<br>endif<br><br><br># do login stuff...<br><br>exit 0</blockquote><div><br></div><div><br></div><div>Then you can manage access via groups on the AD.</div><div><br></div><div>There may be a way of doing this with PAM</div><div><br></div><div><br></div><br><br><div apple-content-edited="true"> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Monaco; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Monaco; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Monaco; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div><div><font class="Apple-style-span" face="Monaco" size="2"><span class="Apple-style-span" style="font-size: 10px; ">Mat</span></font></div><div><font class="Apple-style-span" face="Monaco" size="2"><span class="Apple-style-span" style="font-size: 10px; ">--</span></font></div><div><font class="Apple-style-span" face="Monaco" size="2"><span class="Apple-style-span" style="font-size: 10px; ">Matiu Carr <<a href="mailto:m.carr@auckland.ac.nz">m.carr@auckland.ac.nz</a>></span></font></div><div><font class="Apple-style-span" face="Monaco" size="2"><span class="Apple-style-span" style="font-size: 10px; "><br class="webkit-block-placeholder"></span></font></div><div><span class="Apple-style-span" style="font-family: Monaco; font-size: 10px; ">IT Manager</span></div><div><font class="Apple-style-span" face="Monaco" size="2"><span class="Apple-style-span" style="font-size: 10px; ">National Institute of Creative Arts and Industries</span></font></div><div><font class="Apple-style-span" face="Monaco" size="2"><span class="Apple-style-span" style="font-size: 10px; "><br class="webkit-block-placeholder"></span></font></div><div><font class="Apple-style-span" face="Monaco" size="2"><span class="Apple-style-span" style="font-size: 10px; ">+64 9 3737 599 x86511</span></font></div><div><font class="Apple-style-span" face="Monaco" size="2"><span class="Apple-style-span" style="font-size: 10px; "><a href="http://www.people.auckland.ac.nz/Mat/">http://www.people.auckland.ac.nz/Mat/</a></span></font></div><div><br></div></div></div></div></span></div></span><br class="Apple-interchange-newline"></div></span></div></span> </div><br></body></html>