Wireless Access

After integrating controller with active directory can I create roles based on active directory group membership for example

IT group can have full access to everything but  accountatnt have no access at all.

can you do that with AD integration? i know you can with radius, but is that what the OP is asking?

You can't do that with straight up ldap as far as I know. EDIT: I stand corrected, see below.

You can however set up a radius server (Clearpass, NPS, .. ) and use that to return roles depending on AD group membership.

With an Aruba controller you can have your radius server return the aruba vsa aruba-user-role (amongs many more) to have this applied to the user. No need to go into server derivation rules and the likes even.

Koenv

You can change a device's role  based on an attribute  in with LDAP:

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/LDAP-server-Server-Rules/m-p/2235/highlight/true#M461