Hi,
You are using radius authentication. If you have selected WPA2+AES security then role will be authenticated.
If you want to assign multiple internal vlan to user group with single SSID then you will have to use user derivation rule.
There is AP group name is "default" in controller. Policy will be assigned as per role.
Kindly provide screenshot for clearity.
Regards,
Nik...