You need to create on both side ClearPass and Aruba Central (I guess you manage your APs and switches from Central ?).
On ClearPass, you will return the user-role to your NAD (AP or switch), so let's say on the enforcement profile if it's an IOS/Android phone, you will return a user role : mobile-user-role. If it's a corporate device, you will return a user role : corporate-user-role.
Then on Aruba Central, you will define those user role for your switches and APs with specific configuration like :
mobile-user-role :
- vlan-id 500
- policy "restricted" (this policy should contains restrive acls for internal subnets).
another solution would be to have a vlan which terminate to a firewall and here you only allow internet access
corporate-user-role :
- vlan-id 10
- policy "unrestricted" (here create acl which all access to internal subnets)
otherwise, let's say your vlan 10 terminate to a firewall and you allow here access to internal subnets and internet