Using policy simulation I set this:
Radius:IEFT - Called-Station-ID = <SSID>
Which allows me to successfully test. Roles and enforcement seem unnecessary in my scenario. I need the RADIUS request to send the SSID, username + password for authentication, the host marked as known in the endpoint repository then Meraki would supply the VLAN and IP address.
I'm guessing it's not that simple and maybe a support case is needed.
Thank you