Diagram: A rough diagram is attached to provide you an idea about the network
Queries and Recommendations:
Solution Option1: Use one large vlan/IP subnet for all floors. In such case, users will always get same IP regardless of the floor and Firewalls permissions can be granted based on IP Addresses for each users.
Issue with Option1: broadcast domain will become large and will result in slowness
Solution Option2: Use different vlan per each floor to avoid large broadcast domain and handle firewall permissions based on ISE TrustSec or usersnames.
Issue with Option2: Firewalls in the DC are not supporting firewall permissions based on Security Tags or permissions based on users
We use /21 address block in our campus VLAN (we have more VLANs, but this is the largest one) and we see no broadcast issues here. No multiple VLANS for the same class of users just because "different floor".
We are using L2 authentication. Any user can use any plug - he will be connected to VLAN claimed by RADIUS server (we have multiple VLANs for multiple classes of users).
Our radius server verify not only just credentials provided by user, but MAC address of the device as well. Thus no user can spoof MAC address of other user wishing for "more powerfull IP assigned by DHCP". Moreover we have IP Guard turned on on switches thus no user can use IP address unless assigned by DHCP to them.
In short - user use IP assigned by DHCP server only and he can't spoof MAC to cheat DHCP server.
As a result, we can use IP based firewall.