The Endpoint Compliance System (ECS) could return either the VLAN ID or the role name to the controller via attribute in the Radius accept message.
VLAN pooling allows the controller to populate users into set of VLAN defined in the virtual AP profile.
If VLAN pooling is configured on the virtual AP profile, ECS must return the role name to the controller in the Radius accept message and in the role must not have any VLAN ID configuration.
wlan virtual-ap "vlanpooling"
Note that the the Policy Enforcement Firewall (PEF) license is needed if you want to create custom user role.
Note that the Default role is the role return to the controller after the users are registered and verified by the ECS.