First, you need to create a role for the devices you want to allow, then attach it to a vlan. Also attach a firewall policy to that role, as well.
Next, create a user-derivation rule that looks for the first 3 bytes of the mac address of that type of device you wan to allow on to change it to that new role you have.
Last, attach that user derivation rule to your AAA profile for that existing virtual ap:
So if you wanted heart monitors that began with mac address 00:0b:87 to be placed in VLAN 100:
config t
user-role heart-monitor (create the role for our heart monitors)
vlan 100 (assign the role to a vlan)
access-list session allowall (put in the allow all firewall policy for now)
exit (exit user role configuration)
aaa derivation-rules user heart-monitor-rule (Create the user derivation rule)
set role condition macaddr starts-with 00:0b:87 set-value heart-monitor (if the mac address of the device that attaches start with 00:0b:87, change the role to heart monitor. This will change the VLAN as well to 100)
exit
aaa profile wlan_prof (Assign our rule to the AAA profile of that Virtual AP)
user derivation rules heart-monitor