@Robert Hi,
Thank you for posting in Q&A!
According to my research, **your requirements seems can be achieved by **configuring NPS policies.****
1.Firstly, it is suggested to Map SSID to different VLANs(with local LAN access and guest access for internet) This should be configured on the AP device.
Since that we are not familiar with third-party Ciso AP devide, please refer to the Ciso technical team for more professional suggestions.
2.Then, you can set different NPS policies to achieve authentication of wireless clients against the Windows AD environment. For more details, please refer to:
http://wifinigel.blogspot.com/2014/03/the-microsoft-network-policy-server-nps.html
>>>>My thought here is that the guests would exist in active directory for authentication only. (no off the street guest access).
Please noted that, this can be ahieved by adding a Condition inside the Network Policy and specify the Called Station ID which presents the WIFI Access Point MAC Address plus SSID.
For more details, please refer to:
https://learn.microsoft.com/zh-cn/archive/blogs/netgeeks/how-to-authenticate-multiple-wifi-ssids-on-a-single-nps-server-radius
Hope you have a nice day : )
Gloria
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://learn.microsoft.com/en-us/answers/articles/67444/email-notifications.html