Hi James,
That's certainly a bummer, especially because we do not have the AD. The AP can handle multiple SSIDs, but WPA2-Enterprise authentication works for all or none. That's not very good for shared office environments etc. However, after a lot of fiddling around, I believe I found a way around the problem. It's not the best possible solution, but I believe it works. Here is what I have done.
1. Users can be identified by the user name created in the internal server, for example 'AAA James', 'ZZZ John' where AAA and ZZZ are the company names.
2. Changed the access level to 'Role-Based' for the network where only ZZZ employees should have access to.
3. Created a new role called 'ZZZ STAFF' and set access rule to 'Deny access to all destinations'
4. Now here is the best part: under role assigment rules I've created a new custom rule where when 'user-name' contains ZZZ' assign rule 'ZZZ Staff' (default rule is still active).
Now all ZZZ users, who connect to AAA network, will get authenticated cause there is no way around it, but because of the user name containing 'ZZZ' a rule blocking access to all network services will be applied to them, blocking them from accessing any network resource.