WLC is a "dumb" switch. Authentication rules, like what you are describing, are done exclusively by authentication servers like ISE.
ISE then talks to the WLC and say "let them in" or not. Based on the SSID you can separate what authentication rules you want.