It seem that the external group mapping (NT Domain Group to a ACS group) work only with the immediate NT group where the users are defined. So if a group A(let say user toto is defined directly in NT domain group A) is then defined in another more general group (let say group A defined in group B), does the ACS radius server will be able to map the user toto against the general group B ? From my test - external mapping will only work against the immediate group, group A in my example.