I'm currently in the process of migrating from Microsoft IAS to Cisco ACS 4.2. I'm running an Eval of CSACS v4.2 for Windows in a Lab so I can work out the issues.
So far I've been fairly successful getting user accounts authenticated with active directory credentials using the "Windows Database" as my external user database. The only problem I've run into is that I can't seem to figure out how to restrict access to Active Directory group membership.
For instance, in the lab I have a Cisco 3750 switch that is using ACS to control login access. But given my current ACS configuration everyone in the windows domain can login to the switch. How can I restrict that down to just the Network Operations group in Active Directory?