WLC vlan size and management

Hi list,

If I may ask for your advice, I have a Cisco 5508 WLC. Need to use it to
manage APs at multiple buildings which I plan on doing using AP Groups. I
understand that if I have one SSID mapped to one VLAN I can do it within
the AP group and all is well.
In my case, I have to provide a single SSID, but be able to assign clients
into vlans based on their credentials. ACS 5.2 takes care of that with

Currently, I only have it managing one building, so the problem is only
looming, but need to start converting my fat APs to LWAPs in other places.
That means "way more clients than I can fit into a /24 or even a /23".

The way I have it configured right now is as follows:

1. I have interfaces created in the WLC with names corresponding to the
value that gets sent in Tunnel-Private-Group-ID (this is done because
there are multiple controllers, but I can adjust to a tag instead. Though I
don't think this will help in my case)
2. I have these interfaces grouped into an interface group.
3. I have the WLAN created and mapped to the interface group (which I'm
pretty sure is not important, since AP group overrides this)
4. I have an AP Group with my APs in just this one building and that has
that very same WLAN mapped to the same interface group mentioned above
5. ACS sends back the interface name in Tunnel-Private-Group-ID and the
client gets placed into an appropriate vlan based on client's credentials

Now the issue

1. I need to add other buildings full of APs, so I'm guessing more AP
groups (one per building)
2. If I map the next new AP group to the same interface group it will work
and the clients will get placed into the same vlans as the clients above
3. The issue is that at some point I will exhaust the DHCP scopes.

I'm thinking that somehow I need to be able to place clients into an
appropriate vlan based no only on credentials but also on location (that is
building). What I can't find is how to match clients based on AP location
in my WLC 7.0 + ACS 5.2 setup. The best I could come up with is tracking
all AP's mac addresses and match Called-Station-ID based on those address,
but that's a nightmare in my opinion.

How do others do it? I would imaging there are some kind of "spill over"
features that have to exist out there or some other technique