Most of what you want to do can be done by associating an SSDI to a given VLAN.
You can prevent one wireless client from talking to anther by enabling "Public Secure Packet Forwarding" (PSPF) on the APs.
If you use RADIUS (or TACACS+, I believe) you can do authentication / filtering by MAC address at the AP (or you can still do it later in the network, if you want).
Cisco ACS would be a good choice for authentication and authorization. It can do the MAC auth, it can access credentials from external databases (i.e., Microsoft AD, Novell Directory, LDAP, SQL ...)
You may also want to use some flavor of "captive portal" (Cisco's is "BBSM") which will force guest users to acknowledge the company's "guest usage policy" before proceeding.
Are you looking to use standalone (Aironet) or LWAP (Airespace)?
You could use either, but depending on which you choose may change the back-end setup / infrastructure.
Good Luck
Scott