I am confused. I thought 192.168.5.0/24 was the guest network.? If your guest and employee SSID are 172.16.1.0/24 and 172.16.2.0/24, but not 192.168.5.0/24, then do the following:
ip access-list session validuser
network 172.16.1.0 255.255.255.0 any any permit
network 172.16.2.0 255.255.255.0 any any permit
That will only allow those IPs ranges on your wifi. If a client connects with anything other than a 172.16.1.X or 172.16.2.X address, the client will not be able to pass traffic.
Alternatively, you block your wired range instead:
ip access-list session validuser
network 192.168.5.0 255.255.255.0 any any deny
Either way is fine.