Welcome to the community @Knocker! Interesting question/need.
Disclosure: this reply might seem a bit frazzled as I’m typing as I’m working this out.
Clear TL;DR for the way things are setup right now: You’re correct, the way to do this would be to do a new Network (traditionally called an SSID) that only transmits 2.4GHz, create a network on that with the network type of IoT
As for the ask itself…
Let’s start with an example: SSID 1 - Both bands
1 - Network: Small/PSK
2 - Network: Internet Only/Open
3 - Network: IoT/PSK
In this scenario, if you were to be able to disable 5GHz on Network 3, 5GHz would still broadcast on all 3 networks. You set up an IoT device as punch in its PSK, the AP would then decide what network to put the client on based on the password only; there is no consideration of bands in this at all. This is because the bands are hardware based/SSID based. Yes, the software can beacon 2.4GHz only on the IoT network, but the core logic of where does this client need to associate to only takes it to VLAN, ingress, egress, filtering type etc. In most cases, the client chooses which band it’ll sit on (excluding the consideration of the band steering feature), so generally speaking, the client makes this call.
Now imagine the band steering option, that’s an SSID level feature. So if you have one SSID as you’re wanting to use with AltaPass, now the AP is trying to steer your IoT devices to 5GHz. And, as we’re all aware, many/most IoT devices are 2.4GHz only, so that will likely impose an issue.
One little bit of fun information that I’ve learned is regarding datarates. From what I see, most IoT devices will max out at the 65mbps datarate. This will not mesh well with more advanced devices like full blown laptops, tablets, cell phones, etc. In this case, you should drop the datarate below its default. In my setup, I’ve found 2mbps works great, but you may have to go down to 1mbps. You might be thinking “that’s crazy”, which it does sound crazy on the surface. But what are these devices sending/receiving? Hardly anything. Most of them are sending a JSON payload of just a few bytes or maybe up to kilobytes; so the people that engineer them don’t need the high datarates, not to mention, you don’t have to put a higher end WiFi chip in the hardware, which should reduce the BOM, and theoretically reduce your cost to buy the IoT device.
These reasons are why setting up a separate SSID for IoT devices is best approach. You can set your IoT SSID data rate to the minimum, disable 5GHz, don’t have to worry about band steering, etc.
AltaPass is incredibly useful and it has applications. This isn’t really one of them. Before AltaPass or any other dynamic PSK, you would have to set up multiple SSIDs to manage all these different network segments, so AltaPass is a way to allow the aggregation of most of these types of networks, but not all. AltaPass already does more than any other dynamic PSK mechanism on the market. Not just VLANs, but implementing network type, scheduling, hotspot, filtering, ingress, and egress.
I’ll end this incredibly long winded post with an example I have at my house. One of my kids’ TVs is a smart TV and doesn’t have the greatest WiFi chip it seems. It needs that 2mbps data rate. But I don’t want that to apply to the main SSID. So I simply create a new SSID with a single AltaPass on it, drop the rates and I’m done. I think it’s 2 extra fields overall, the SSID name and then dropping the slider for the rates. Now I can do 1gbps over WiFi and she can stream whatever she wants (except TikTok, that’s filtered).