There are a few ways of doing this.
1. Mac authentication
2. Different SSID with different VLANs.
3. If you are using WDS (you should be) then two separate instances of WDS and let the RADIUS service decide who can use which WDS.
I would go with different SSID and VLANS
Configure all APs with ssid "A"
Configure the 1 AP with ssid "B" in addition to "A" (ie two vlans)
Configure the 4 to associate to ssid "B"
Configure the balance to associate to ssid "A"
Configure your authentication method appropriately for each SSID (ie only allow the 4 on "B")