you can achieve this with access-lists
ip access-list session employee-acl
any any any permit
!
!
netdestination internal-networks
network 10.0.0.0 255.0.0.0
network 192.168.0.0 255.255.0.0
network 172.16.0.0 255.240.0.0
<Add any others you want>
!
ip access-list session guest-acl
user alias internal-networks any deny
any any any permit
!
user-role employee
access-list session employee-acl
!
!
user-role guest
access-list session guest-acl
!
Assign the roles to the respective ssids