You could do this with a single SSID .
One quick question: Are you providing Contractors an account ahead of time either a Guest Account (Contractor TIPs Role) or using AD ?
In the same Captive portal you could do the following:
- Guest Registration
- A link to allow Employees to authenticate using AD credentials and based on that you can send a user-role/VLAN to the controller
- Use the same link for Employees to authenticate Contractors against AD or local database and then send a user-role/VLAN to the controller
You can use the Guest Mac Auth service template to create this