I'm currently looking at implementing a Guest solution utilising AD accounts for authentication.
The current idea for the implementation is as follows, Guests connect through to the Anchor controller via the configured SSID, configuration on the anchor WLC calls out to use an ACS server configured under Radius - Authentication.
This ACS device, which is a member of our AD domain, will then be able to supply the relevant user credentials when a client inputs their details within the web authentication page.
Firstly, is this even possible, from the documentation I've seen on Cisco.com it appears to be, though most documentation appears to call out creating local accounts on the ACS, rather than using Windows AD accounts via the configured Windows external database. Secondly, if it is possible, I'm assuming it's very much a scenario of, a user has an account they'll be granted access, and if a user doesn't have an account then they'll be denied access. If we wanted to actually control connectivity through Group membership, then we'd need to look at using LDAP as the authentiation mechanism from the WLC?