Why not just using EAP-TLS as the auth as-is, since you control the horizontal and vertical if the certs and CA (CA can sign your RADIUS server cert). Then just use some post-auth to pass request to your backend to work out what VLAN to return?
alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html