Separate users in two groups (staff and guests) in FreeRADIUS 3

I have a FreeRADIUS (3.0.15) server for WPA authentication (PEAP + MSCHAPv2) and everything works out of the box even though it feels like it would take a lifetime of study in an enclosed monastery to master every bit of the configuration.

I have my users in the users file and I would like to keep it that way (versus sql or ldap) because I like the convenience of editing users with a simple text editor.

What I'm trying to accomplish:

I have two SSIDs (staff and guests) and I would like to separate my users in two groups such that a guest user is rejected if they try to authenticate on the staff SSID.

What I have so far:

In my users file:

DEFAULT
    MyGroup := 'guests',
    Fall-Through := Yes

# Guest users
guest1 Cleartext-Password := 'password1'
# End of guest users

DEFAULT
    MyGroup := 'staff',
    Fall-Through := Yes

# Staff users
staff1 Cleartext-Password := 'kdjsfhksf'
# End of staff users

My hope is that, after parsing the file, the reply:MyGroup attribute has staff or guest depending on what user matched the request.

My dictionary file has this:

ATTRIBUTE MyGroup 3000 string

And my default site has this in the authorize group, right after the files module. The rewrite_called_station_id creates a new attribute Called-Station-SSID, which I use along the MyGroup attr created by the files mod to try and filter the users:

# get SSID from Called-Station-Id
rewrite_called_station_id

# check guest connecting to staff SSID and reject if so
if (&MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
        reject
}

I also tried this:

if (&reply:MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {

But in any case I get the following error:

if (&reply:MyGroup == 'guests' && &Called-Station-SSID == 'STAFF') {
ERROR: Failed retrieving values required to evaluate condition

At this point I have no clue what's going on and how to fix it.