In ACS we setup several groups: Internet-only, VPN-only and Internet-VPN. Users are then placed into these groups according to group-mapping from Windows AD. This has been working as designed for years. Now we upgrade to ACS 4.0 and there is a problem. It seems as if our Internet group from AD is not being recognized by ACS. If a user is only in the AD internet group, ACS places them in no access. If a user is in the internet group and a VPN group they are placed in VPN-only group. If a user is only in a VPN group they are correctly placed in VPN-only. If I setup a new group mapping, I see the Internet group in the list of AD groups. Does ACS 4.0 recognize all AD groups whether they are global or local when it come to authenticating and classifing users? I ask this because the VPNgroups are global groups and the Internet group is not, but that did not matter before.