We have a CenturyLink Actiontec C1900A router/modem as our primary router. As far as I can tell it does not support VLANs. I have configured it to have two SSIDs, one private and one public. The first defined SSID (private) has access to the LAN, but there is an option on subsequent SSIDs (#2 is public) to have access to a different subnet. With this setup the wifi on the router behaves exactly as I would like.

The challenge is that we have an EAP120 attached to the network that I'm trying to mirror the behavior. I have setup identically named SSIDs as the router, but both have access to the LAN by default. The only option I found was to create an access control rule for the public SSID so that it cannot reach the subnet of the primary LAN. This does actually work and prevents access to the devices on the LAN, the rub is that is that it does not hide the devices on the LAN and so anyone on the public SSID can see a listing of all the LAN devices. 

I believe I could setup the portal functionality and put it in guest mode and it'll prevent this (can someone confirm?), but I'd rather leave this simple and just have the SSID hide the LAN devices.