However, I have often seen multiple user groups who use the same authentication & encryption methods, but are on different SSIDs (think of a university having both students and staff authenticate to the wireless network in the same manner, yet on different SSIDs). In cases like this, it may be possible to consolidate SSIDs and leverage the concept of "user groups". In my university example, students and staff would be placed into different OUs (organizational units) within Active Directory. Both students and staff would log onto the wireless network on the same SSID with 802.1X and EAP. However, when the RADIUS server responds to the wireless network, it passes along the OU as a RADIUS attribute. The wireless network looks at this information and places the end user into the proper user group (either "student" or "staff"). The wireless network can then create specific policies for each user group that allows or denies access based on a myriad of options including port, service, time of day, IP address, IP range, etc. For example, only teachers would be allowed to access the IP address of the server containing the student grades.
Utilizing user groups cuts down the number of extraneous SSIDs and "cleans up the air". With fewer beacons in the air, there is more available airtime, and therefore less management overhead and more available bandwidth. Tune in tomorrow for the next dumb mistake, "hiding" the broadcast of the SSID.