I see security/authentication as being distinct from network segmentation. Put the different SSIDs on different VLANs, and everybody can have their own security.
The Fire Department gets SSID "FireDept" on VLAN 911 on all the access points with WPA2 (or whatever), every firehouse gets a mesh node with its Ethernet ports on VLAN 911, Fire HQ has the router that everybody in the FD points to for outside access.
The Police Department get SSID "PoliceDept" on VLAN 50 on all the APs with 802.1x pointing to their own authentication server. The police stations all get a mesh node with its Ethernet ports on VLAN 50, etc.
The poor Meter Readers get SSID "EvilEmpire" on VLAN 25 with WEP40 because thats all their stone age wi-fi ticket printers have, but only on the APs downtown where the meters are.