Would it work for you to match all users in the service and after authentication, based on the group membership (roles, device, etc...) return a Deny Access for unauthorized users?
That has another benefit, namely that you can put additional actions on unauthorized users trying to get access; like opening helpdesk tickets for a security incident.
The information on what you are trying to achieve (the question behind your question) is not fully clear, and please contact your Aruba partner or TAC if you need to discuss how to implement what you really want.