this is how I will do to approach those condition :
- Create 2 VLAN, each for user-group
- Create DHCP Pool, or let internal network do the DHCP pool
- On controller, set port as trunk, with native VLAN and allowed VLAN (if using external DHCP)
- On controller, just set port as access, enable source-nat for those VLAN/IP (if using internal DHCP)
- Create user role (for staff) define the VLAN-ID that will be used for this role
- Create or define Radius server that will be used. InternalDB or AD
- For Internal, create user inside database with Role as defined befor.
- For external, define the attribute to use for user derivation (Filter-ID, or others)
For internal,
- Create AP Group with 801.X auth (username and password)
- Assign internal DB
- Assign default VLAN on this APGROUP to the student VLAN
- Set default role (set different role, try using guest)
- Staff will be assigned different VLAN automatically. as stated on their role.
For External:
- Create AP Group with 801.X auth (username and password)
- Set and assign Radius server
- On Radius server, create server rules with attributes states on the DB
- Assign default VLAN doe this AP Group to the student VLAN
- Set default role (set different role, try using guest)
- Staff will be assigned different VLAN automatically.
Hope you can get what I mean.
Goodluck!