Where is your URL filtering done? Controller or firewall? Without knoledge, I can see a few methods -
1. You can create a login/password for those particular ipads and drop them into a different role. The problem is if that username/password is distributed.
2. As Vinod mentioned, you can do a mac-address bypass mode and set the role to "authenticated" or to another user-role based on the mac auth. Watch out because once folks get word of this, it may become an admin nightmare.
3. Create another role and use user-based derivation to drop them into a different role. Again, if the info gets out, users will connect to this SSID to gain access so another form of auth such as mac address bypass or info passed from your RADIUS server may be required.