Assuming you've confirmed that T+ authentications are actually been sent to your ACS, then it should be just a case of adding Windows group mappings:
Support -> ACS Support Group
Default -> NO ACCESS
Group mapping is applied after AD authentication, so even if correct credentials are supplied the user will be mapped to NO ACCESS (ie rejected) if they are not a member of the correct AD group.