Essentially what you will have to do is create Network Access Restrictions for each group in ACS:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
So for example, you have two AD groups and two ACS groups: AD_VPN and AD_Wireless, ACS_VPN and ACS_Wireless.
If you're Database Group Mapping, you'll have:
- AD_VPN maps to the ACS_VPN group
- AD_Wireless maps to the ACS_Wireless group
Then in your ACS_VPN group, you would create a network access restriction which states that users in this group can ONLY authenticate to your VPN headend. Similarly with wireless, the ACS_Wireless group has it's own NAR that restricts access to only Wireless APs.
So what happens is, when a user who is only in the AD_VPN group in Active Directory tries to VPN in, he/she gets mapped to the ACS_VPN group, authenticates successfully, and is given VPN access. If this same user tries to log into wireless, he/she will still get mapped to the ACS_VPN group, but because of the NAR applied to that group, will be denied access. Similarly, this goes for wireless users.
I hope this is the functionality that you were looking for.
Sincerely,
Annie