We currently have a 4402 Controller with several AP's configured and working great. We have 2 SSID's mapped to 2 different VLAN's as well. 1 SSID is for Internal use and has EAP-FAST, ACS Auth, etc configure. The Guest SSID is using the local net usernames as expected, however, it is also using the ACS server as well. We would prefer to prevent internal employees from even being able to authenticate to the Guest SSID. Any ideas?