I used to do something similar with Microsoft IAS using the filter ID RADIUS attribute and a server rule I set up.
Start with the RADIUS Attribute.
When a Student authenticates have IAS Send a filter ID of "Student" in the radius accept message.
Likewise send a filter ID of "Staff" for staff authentications.
You will need to create a unique server group for each SSID. The severs within the server group can be the same.
Under the Server rules section of the server group configuration create a rule to block access. Something like.....
aaa server-group "Staff"
set role condition "filter-Id" equals "Student" set value denyall position 1
aaa server-group "Student"
set role condition "filter-Id" equals "Staff" set value denyall position 1
Hope this will help.