Hello all- we're running ACS 4.x. currently we have "check dial-in permission" enabled. We have VPN users and wireless (.1x) authenticating against acs and then to AD. the problem is with the "dial-in permission check" we have to grant this all vpn and wireless users in AD even though some wireless users do not need VPN access. Becuase if this permission enabled , all wireless users automatically get VPN access as well. Is there a way around this? Can i check dial-in permission per NAS or something or is that a global thing. Any other way to set this up only VPN user are checked for dial-in permission and not wireless users?