1. On Radius Server, create Filter-ID per user to grouped them (exmple : Filter-ID :"Director" for upper management, "Staff" for lower staff, etc)
2. On IAP's SSID (SSID-A) setting, go to ACCESS (last tab), and choose ROLE-BASE
3. Every SSID automatically create new ROLE for them selves, so for this exmple, you will see role SSID-A with ALLOW-ALL policy
4. Create new ROLE, set the bandwidth and ACLs for each user-group (FIlter-ID)
5. Select the default role (SSID-A), on the right panel, click new button and create new access rules with format
Attribute : Filter-ID
Operator : Contains / Equals
String : Filter-ID strings on your Radius
Role : Put the new role you created on point 4
6. You can add multiple Access Role as long you create different ROLE (as Point 4)
With this config, user with specific Filter-ID will be derive to the role they appointed, while user wiithout filter-ID will be using the default role (SSID-A).
Goodluck!