I have a Windows 2003 DC with Secure ACS 4.1 installed. I have created a "VPN users" and a "Wireless users" group in AD. I have mapped those groups to the respective groups (same name) in ACS. What I am trying to do is force my Concentrator 3000 to use only the VPN users group to Authenticate for VPn and the wireless AP's to use only the wireless users group to authenticate for wireless access. What I run into now is if I have the groups in this order 1. VPN group 2. Wireless group. And then I place a user account in only the wireless group, then try to authenticate from the concentrator it still works and the user is placed in the wireless group. Can anyone help or is this a case where ACS will keep going down the list similar to an access-list and once it finds a match it uses it?