Recently I came across a demand from several clients of mine to integrate MS-IAS (Microsoft Internet Authentication Service) as Radius server to authenticate administrators and their role on the Wireless Control Server.
What I could find is vast and comprehensive documentation on ACS but rather very little if any on MS-IAS.
From what I understand ACS need to hold a local DB for users to be able to asign their role even when using it as Radius proxy to MS-IAS.
So, as mater of efficiency and single management issue, my clients want to use MS-IAS on their MS based network as single Radius and use the VSA (vendor specific attribute) on different policies and users groups on the MS Active Directory.
After playing with this quite a bit I managed to set it to work and looking back it is rather simple.
I add this guide which Stephen gave me
later will updated some minor details