Dynamic PSK (one time passwords you can create in the ZD or VSZ) Or you can let a user login with a username and password that is checked agains a radius server. If this user has a specific vlan attribute assigned to it's account, the controller will connect the wifi client to the destined vlan.
I understand the latter (802.1x) on a switch and how that configuration looks on an interface used for physical connectivity. When u sing 802.1x for Wireless would you still configure the switchport facing an AP the same way?
Or do you still have a management VLAN, an access VLAN, and the wireless controller itself has a separate VLAN database?
Curious as to how this works in an environment where the AP switches traffic across the network normally instead of tunneling to the Director.
If you maintain a separate management VLAN for your ZD and APs, that's normal and best practice.
You need to support the default VLAN of the 802.1x WLAN that you define, *and* the additional VLAN(s) you want the user Role to specify.
The new 'Dynamic VLAN' is assigned to the client by their authentication, then a COA or DM, will disconnect the client who immediately is re-associated and assigned to the specified new VLAN. Client DHCP request goes out on that VLAN, etc from there.