By default, when using Active Directory for Splash Page authentication, all users in AD can be granted access. However, by using Organizational Units (OU) and a custom AD admin account, it is possible to limit which users can get through authentication. This document will show you how to limit the scope of users that can be authenticated to an SSID using a Splash Page with Active Directory Integration.
Note: This is an advanced configuration that requires day-to-day knowledge of Active Directory to be done correctly. Please refer to Microsoft documentation and support for assistance.
First, you will need to create users for each group of users. In this case, we have Students and Staff. We will use this example to limit Staff Users from accessing the Student SSID.
Right click and select Properties of the Staff OU
Deny the StudentLDAPUser's READ rights for the Staff OU
Now, you will use this StudentLDAPUser to Bind to AD under 'Configure >> Access Control' for your Student SSID:
Since this user does not have the ability to read the Staff OU, Staff Users will not be able to use this SSID. You will need to apply this Deny to all User OU's that should not be allowed to access this SSID.
You will repeat the same steps to Deny Students from accessing the Staff SSID. You'll need to Deny Read permissions for StaffLDAPUser for all OU's that should not have access to the Staff SSID.