We use ACS to authenticate users connecting to our wireless network.

Up until yesterday, we had Active Directory added with two groups selected: All Domain Users and All Domain Computers.

Yesterday, we changed All Domain Users to All Staff Wireless and All Students Wireless. This should have removed service accounts and will allow us to prevent certain staff and/or students from connecting when we choose.

Doing testing today, I'm able to connect to wireless with both a service account and my account, which has been removed from All Staff Wireless. I'm able to connect on both an iPhone and a Macbook.

Anybody know why this is? See below for a rundown of our setup:

1. Active Directory is Joined and Connected with All Domain Computers, All Staff Wireless, and All Student Wireless directory groups selected.
2. An Identity Store Sequence has been created with AD1 and Internal Users selected.
3. The Identity Source selected for Default Network Access is the sequence from #2. When authentication fails or user is not found, they are rejected. If the process fails, they are dropped.
4. For Authorization, the only rule is named Controller Access with the NDG:Device Type condition selected with All Device Types:Controllers selected. The Authorization Profile is Permit Access.
5. The Default Rule is set to Deny Access.

So unless we missed something, this should be blocking our service accounts and users not in 1 of 2 wireless groups from connecting to our wireless network.

Anybody see anything wrong with our configuration? None of us are gurus in this as it has been set up and running for a long time.