Refering to the example scenario given by your client,
Example:
One Client shut be able to connect to WIFI if he is in Building 1 IP Range 192.168.1.0 Subnetzmask 255.255.255.0
But when the same Client cames from Building 2 IP Range 192.168.2.0 Subnetzmask 255.255.255.0 the he should be restricted out.
This can be done in a two step process.
First : Create a netdestination pointing to the vlan that the SSID is being broadcast on (this can be found in the configuration> wlan; check the VAP profle for which VLAN is mapped).
Create a Netdestination for each of the networks in building 1 and 2
It is going to look like this ;
(config)# netdestination "Wifi"
network 10.0..0.0 255.0.0.0
(config)# netdestination "Building-1"
network 192168.1.0 255.255.255.0
(config)# netdestination "Building-2"
network 192.168.2.0 255.255.255.0
refer the AOS 8.5 UG (Pg. 273) to create a netdestination
Second : Create a IP SACL as follows
ip access list session "Restrict logon to wifi"
// the format is "source destination service action"
// The first Access control entry is going to be
Building-1 Wifi any permit position 1
Building-2 Wifi any deny position 2
You could choose to ignore the second
ACE as an implicit deny all statement is going to be added but i recommend to keep it on for clarity.
Finally map this SACL into the pre-auth / initial role of the AAA profile for the SSID.
Let me know if it works