I'm searching for a solution to web authenticate users within a specific Active Directory Security Group. I tried to authenticate over Radius with Cisco Secure ACS and Network Access Restrictions. But NAR only works with Layer 2 authentication. And Web Authentication over LDAP can only be used with User Objects.
You and maldehne are saying the correct thing. However, this is some kind of limitation that cisco should improve in the future. classifying users based on groups in AD is more flexible than classifying based on OU's when using LDAP. If there is anything that can be implemented to classify users based on AD groups at Layer 3 auth level that will be very useful functionality for cisco products.