Yep if you want specific roles for specific group of users you can do it as poster suggested using derived roles... just return a value from the raidus server maybe filter id depending on whcih group the user belongs...
For example if you got a group called IT
you can return filter id value IT to the controller, the controller will look for a role called IT(you need to configure it first) in which you put the rules you want inside that role which can be in this case allow any any as you are an IT guy
You can then have another group on the NPS called Accounting, which will return a value Accounting to the controller, which will look for a role named Accounting, which you need to configure previusly and then you will create specific rules for that role.
Its a really handy way... remenber you dont want to have many SSIDs you want to have less SSIDs for better performance... more SSIDs means less performance.
Cheers
Carlos