Hi,
As per your scenario, condition can be from domain computers as AD groups. If it match then get access otherwise fail.
The other way not to use AD group and get access accordingly.
You can manage your network through EAP-chaining or MAR in the network.
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
Regards
Gagan
PS: rate if it helps!!!!