Apologies my networking skills are a tad rusty. I'm looking for a way to setup a system that gives me the ability to setup Role-based access to specific network resources. For example, i have three private subnets for specific groups, users will need access to one one or more subnets.

I'd like to have all client machines on the same subnet/vlan, and then use 802.1x to authorize into a router(NAC device/whatever), the router would then see what user had authenticated(huge plus if it could determine AD group), and then allow routing to one or more of the three private subnets based upon their group membership.

I've looked at packetFence, and it appears to work by assigning a client to a VLAN, but i'd still need a way to route some users into different back-end networks.