Piotr Wojciechowski

Managing networks with many levels of privileges is common thing nowadays. Also building WLAN as a extension of wired LAN is nothing unusual. Usually users are divided into groups that differs privileges and resources they can access. Easy way is to create separate VLAN for each of the group. You can extend it to wireless network by propagating each VLAN under unique SSID, but that make a lot of broadcasted (or not) SSIDs which is not nice thing, especially if we don't want to inform our users how many groups we have. Better broadcast just one, right? If you are using ACS to authenticate users your task is pretty simple if your users are already divided into groups.
Configuration is easy. First in Interface Configuration->RADIUS (Cisco Airespace) you have to enable Aire-Interface-Name option.

Then in Group Settings in particular group in section Cisco Airespace RADIUS Attributes you will find previously enabled option. Now the only thing you have to do is to set interface name you created on WLC to which user have to be assigned after successful login.

And thats all. Now you can create one WLAN on your wireless network which will be used for user authentication before they can get access to your network. Using Aironet extensions in ACS you can tell controller to switch VLAN assignment per group basis after successful login. This way our Manager will have access to its VLAN and you are broadcasting only one SSID.