One SSID, One Vlan, One IP Pool.
Differentiate by Roles such as Role A can access between Role A, internet and internal.
Role B can only access to Internet and between Role B, means no internal.
It is easy to accomplish that with EXtreme Control solution = NAC. In the management you will define criteria like MAC address or Username or hostname and based on that you assign the right profile. In the profile you define ACLs what such device/user can do... Single SSID design is good. Good luck.
If you have Radius-LDAP you can define de field Filter-ID attribute at the radius response, and create a rol with the same name at the Role tab.
In the VirtualNetwork tab you configure the default role, but if the radius response can find a role with the same name that the Filter-ID attribute then role asigned change.
I am not sure at all, but you can create a testing wlan
I think simples way is to use authenticate roles based on MAC addresses of clients.
Like Role A - accept all for MAC addresses A, B, C.
Role B - (for example) deny dns, deny Internet gateway for MAC addresses D, E, F.
