Station Separation (aka. client separation) is disabled by default. You can enable (allow) client to client traffic in the roles.
It is important to note that this only applies to clients on the same AP. The APs use the roles to filter traffic at layers 3 and 4 (network and transport layers respectively). So the AP looks at IP addresses and TCP/UDP ports (as well some other protocols such ICMP). But this also means that when clients on different APs but in the same network (locations in vWLAN) try to pass the traffic, the AP will examine the layer 3 header applying firewall rules as necessary. In other words, intranetwork traffic must be allowed as well.
For example, let's say you have checked this box. There are two clients with IP addresses in the same network. Client A is 10.0.0.1 and client B is 10.0.0.2. If client A and client B are on the same AP, they can communicate. If, however, client A and client B are on different APs, then when client A tries to communicate with client B, the AP servicing client A will check the packet header. If the role does not allow the traffic, then client A cannot communicate with client B.
I went ahead and flagged this post Assumed Answered to make it easier for others to find it in the support community. If any of the answers were Correct or Helpful Answer, feel free to mark them appropriately.