How have you implemented guest access on your wired network? I currently have a fully segregated guest network on wireless, but nothing in place on wired. I would like to implement it on wired, but it needs to be able to switch to staff access based on domain credentials (derived from Windows if possible).
User plugs into network and doesn't have a domain account (or is in a non-staff OU) they get internet only access.
User plugs into network and has logged onto their laptop with domain accepted credentials they get staff access (internet and internal resources).
It may be better to key on machines that are on the domain first. So, if the user machine is on the domain, they will get staff access. In this case, I would like to keep the wireless authentication as is (since work supplied phones are not on the domain).
We do this using Extreme Policy and NAC. If you are an unknown computer, not owned by the school and not in AD, you get redirected to a registration page. You will then get an internet only policy that restricts you to the internet. If you have a campus owned computer, you might be doing .1x or MAC AUTH based on groups, AD groups, end-system groups, location groups etc... The sky is the limit.
You can create a network resource that maybe all of your servers are on. 10.0.1.0/24
You can then block all access to that network resource, but use IP socket destination to punch a hole through it, say you have 10.0.1.4 and it's a DNS server. You could create a rule to open up socket 53. Anyway, you will have to make it your own and these things very greatly!