Hey victor, great article thanks for this.
I will extend this even further.
Customer of ours using Android tablets wants these devices to be able to only connect to 1 SSID and not another.
I was thinking of utilizing user rules with the MAC address of the tablet to force a specific user role (which is the post-auth role of SSID 2).
Setup
SSID 1 using external CP (Guest access)
SSD 2 using WPA2 PSK for tablets (employees)
Tablets not allowed to connect to SSID 1 but I have to find a way from preventing this.
I'll throw in another curveball, tablets can only go to certain websites, company website only and subdomains of it.
Using a netdestination in the ACL with a deny all for the user role would probably accomplish this.