Why not just set up multiple SSIDs then? The devices connected to different SSIDs belong to different VLANs. Then you don't have to consider MAC spoofing or even deploy EAP-TLS: just give different devices a different password.

I'm sure there are simpler ways to deal with the use case in mind, but I think this article just wants to have fun with NSA-grade WiFi.