This is a bit of restating the problem, but hopefully it answers your requestion.
In Radiator you can opt to send the inner-identity back on the equivalent of a per-device group basis for the Access-Accept. i.e.
1. external device connects: send back outer identity for User-Name
2. internal device connects: send back inner identity for User-Name
In Clear Pass this seems to be a global option.
Ideally I would be able to override the global option on a per-device group basis. The alternative is to have a dedicated clear pass server for internal vs. external devices (not ideal) or perform the rewrite/drop of the User-Name after clear pass sends back an Access-Accept.