Assign different keys to the same SSID to identify users with mac randomiation enabled

I use Google WiFi devices running OpenWRT as pure access points (APs) and Firewalla as my router.
I manage different groups of users with specific policies, but to correctly assign them to the appropriate group, I always have to ask them to disable MAC address randomization on their devices.

Recently, I noticed a new feature in the Firewalla WiFi AP called Personal Key:

Assign different personal keys (PPSK via WPA2) to the same SSID to identify users. Devices logging in with a specific key will be assigned to the configured user, group, or VLAN network (experimental), ensuring user identification and rule enforcement (even if the user’s MAC address is randomized).

I’m curious if something similar can be implemented in OpenWRT.
Thanks!

It is possible on OpenWrt, but not a straightforward solution.

You need enterprise/radius server and vlan to achieve this.

Yes, the openNDS package (open Network Demarcation Service) can do this for you, using any wireless encryption type, no vlans needed, no radius server needed, no third party servers or cloud needed.
Simple scripting enables any type of credential validation, be it "key", "username/password" or anything else you can come up with.
Runs on any OpenWrt router 23.05.xx or higher.