Hi,
You can meet your requirement by the following steps,
1. Configure VAP profile and Map SSID and AAA profile to VAP profile, how many SSIDs you want to broadcast those many VAP profiles are needed. all thse VAP profiles should have unique SSID profiles but you can map the same AAA profile to all the VAP profiles.
2. Create a RADIUS server ( Configuration-->Authentication-->Servers) and map this server to a server-group
3. map the server-group to the AAA profile which was mapped to the VAP profile.
The above steps will insists whole traffic of all SSIDS to the server configured and mapped to the server-group.
4. in NPS create a Remote access policy mapping to the user group with access policy, here we can configure any number of policies and the execution will be top to bottom. if the authenticating user do not belongs to any of the user group mapped in the policy will be denied.
For your ref :
This requirement is very easy and flexible with CPPM. if you get a chance try with CPPM.