We have successfully piloted EAP-TLS with machine certificates for wireless using microsoft IAS and I am investigating converting to ACS for the radius piece. One thing I can't figure out how to do with ACS is to check policy settings for the supplicant. Under IAS I can verify that the machine is part of a certain group via a remote access policy. Any ideas on how to do this with ACS?