As jrwhitehead mentions, I would probably go back to the drawing board for this one. Although it is completely possible if you trunk the VLAN to all the IAPs.
Configure profiles using the Aruba-User-Vlan (2) attribute, create a policy matching your user credentials to the desired profiles and match the flow in a service.