Okay, so you might want to turn it around, then:
Assign a pool of VLANs to the Virtual AP. If a student authenticates via 802.1x just allow them on the radius server side or assign a role that does NOT have a VLAN assigned. For others, you can assign them to a role that has a single VLAN tied to the role:
Your Virtual AP has vlans 10,20,30.
When your students authenticate, they will end up in one of those VLANs.
Say a faculty member authenticates, you can respond with the radius server with a single VLAN that you want faculty in, or a role that has a single VLAN tied to it.
Does that make sense?