Piotr Wojciechowski

Cisco has recently released many some new versions of firmware for WLC (latest with major number 5.x) and its supporting software WCS (also 5.x). Good that they are patching and implementing new features in their software but fast developing process causes some incompatibility problems. Here are two of them you have to keep in mind.
First of all current WLC firmware version 5.0.148.0 does not support old lightweight access points - 1000 family. This is big disadvantage because many networks are still using them as they were quite cheap and they are EoS not for a long time. There is no info from Cisco if future releases of new software will still support old devices.
Second are incompatibilities between WLC firmware supported by each version of WCS. In example latest release of WCS (5.0.56.2) does not support WLC firmware 4.2.99.0 and 4.2.112.0, which are two latests from 4.2 mainline. This all causes that engineer have to be really careful deciding which version of firmware and software load on devices.

Managing networks with many levels of privileges is common thing nowadays. Also building WLAN as a extension of wired LAN is nothing unusual. Usually users are divided into groups that differs privileges and resources they can access. Easy way is to create separate VLAN for each of the group. You can extend it to wireless network by propagating each VLAN under unique SSID, but that make a lot of broadcasted (or not) SSIDs which is not nice thing, especially if we don't want to inform our users how many groups we have. Better broadcast just one, right? If you are using ACS to authenticate users your task is pretty simple if your users are already divided into groups.
Configuration is easy. First in Interface Configuration->RADIUS (Cisco Airespace) you have to enable Aire-Interface-Name option.

Then in Group Settings in particular group in section Cisco Airespace RADIUS Attributes you will find previously enabled option. Now the only thing you have to do is to set interface name you created on WLC to which user have to be assigned after successful login.

And thats all. Now you can create one WLAN on your wireless network which will be used for user authentication before they can get access to your network. Using Aironet extensions in ACS you can tell controller to switch VLAN assignment per group basis after successful login. This way our Manager will have access to its VLAN and you are broadcasting only one SSID.