Currently in Enterprise Mode you can segregate your devices based on:
1- Radius Attribute returned by the Authentication Server then your device get an Access Role Profile
2- AD/LDAP Mapping Rule based on the answer of the Acitve Directory (without need Radius on the AD) then your device get an Access Role Profile
3- The Default Access Role Profile associated on the SSID
4- The Access Role Profile associated to a specific user account in case you use UPAM as the Authentication Server.
Every Access Role Profile could include a different vlan id, QoS Policy, location Policy, Time Policy, Bandwidth contract.
On Express mode you can segregate your devices based on:
1- The radius attribute filter-id returned by the authentication server with the VLAN ID
2- The default VLAN associated to the SSID