While I wait for widespread availability of 802.11ac enterprise grade access points, a friend gave me a Cisco 1231 (dual radio) model as an interim solution. These puppies are a bit long in the tooth (A/B/G, no N, no WPA2 afaict) but it was still an acceptable solution since the overriding requirements were: be-a-bridge-not-a-router, POE, no controller needed, and multi-SSID-to-VLAN mapping. Here's the config I'm using to accomplish that.

{% raw %} ap-guestroom#sho run Building configuration... ! Current configuration : 5414 bytes ! ! No configuration change since last restart ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap-guestroom ! no logging console enable secret 5 $1$[redacted] ! ip subnet-zero ! ! no aaa new-model ! dot11 ssid campitycamp vlan 1 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 [redacted] ! dot11 ssid dutnet vlan 13 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 [redacted] ! dot11 ssid guestnet vlan 12 authentication open mbssid guest-mode ! dot11 ssid nplz vlan 1 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 [redacted] !
dot11 ssid v6only vlan 11 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 [redacted] ! ! ! username Cisco password 7 [redacted] ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache load-interval 30 ! encryption mode ciphers aes-ccm ! encryption vlan 10 mode ciphers aes-ccm tkip !
encryption vlan 1 mode ciphers aes-ccm tkip ! encryption vlan 11 mode ciphers aes-ccm tkip ! encryption vlan 13 mode ciphers aes-ccm tkip ! ssid campitycamp ! ssid dutnet ! ssid guestnet ! ssid v6only ! mbssid speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 channel 2462 station-role root ! interface Dot11Radio0.10 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.11 encapsulation dot1Q 11 no ip route-cache bridge-group 11 bridge-group 11 subscriber-loop-control bridge-group 11 block-unknown-source no bridge-group 11 source-learning no bridge-group 11 unicast-flooding bridge-group 11 spanning-disabled ! interface Dot11Radio0.12 encapsulation dot1Q 12 no ip route-cache bridge-group 12 bridge-group 12 subscriber-loop-control bridge-group 12 block-unknown-source no bridge-group 12 source-learning no bridge-group 12 unicast-flooding bridge-group 12 spanning-disabled ! interface Dot11Radio0.13 encapsulation dot1Q 13 no ip route-cache bridge-group 13 bridge-group 13 subscriber-loop-control bridge-group 13 block-unknown-source no bridge-group 13 source-learning no bridge-group 13 unicast-flooding bridge-group 13 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache ! encryption vlan 10 mode ciphers aes-ccm tkip ! encryption mode ciphers aes-ccm ! encryption vlan 1 mode ciphers aes-ccm tkip !
encryption vlan 11 mode ciphers aes-ccm tkip ! encryption vlan 13 mode ciphers aes-ccm tkip ! ssid nplz ! mbssid speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio1.10 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1.11 encapsulation dot1Q 11 no ip route-cache bridge-group 11 bridge-group 11 subscriber-loop-control bridge-group 11 block-unknown-source no bridge-group 11 source-learning no bridge-group 11 unicast-flooding bridge-group 11 spanning-disabled ! interface Dot11Radio1.12 encapsulation dot1Q 12 no ip route-cache bridge-group 12 bridge-group 12 subscriber-loop-control bridge-group 12 block-unknown-source no bridge-group 12 source-learning no bridge-group 12 unicast-flooding bridge-group 12 spanning-disabled ! interface Dot11Radio1.13 encapsulation dot1Q 13 no ip route-cache bridge-group 13 bridge-group 13 subscriber-loop-control bridge-group 13 block-unknown-source no bridge-group 13 source-learning no bridge-group 13 unicast-flooding bridge-group 13 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.10 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.11 encapsulation dot1Q 11 no ip route-cache bridge-group 11 no bridge-group 11 source-learning bridge-group 11 spanning-disabled !
interface FastEthernet0.12 encapsulation dot1Q 12 no ip route-cache bridge-group 12 no bridge-group 12 source-learning bridge-group 12 spanning-disabled ! interface FastEthernet0.13 encapsulation dot1Q 13 no ip route-cache bridge-group 13 no bridge-group 13 source-learning bridge-group 13 spanning-disabled ! interface BVI1 ip address dhcp client-id FastEthernet0 no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ! !
control-plane ! bridge 1 route ip ! ! ! line con 0 transport preferred all transport output all line vty 0 4 login local transport preferred all transport input all transport output all line vty 5 15 login transport preferred all transport input all transport output all ! sntp server 192.148.252.1 end !
ap-guestroom#

This is "Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(7)JA, RELEASE SOFTWARE (fc1)" on an AIR-AP1231G-A-K9 (two radios).