This involves two things: (one mandatory and one optional)
Mandatory
1 A Radius Server Side rule to check things like SSID, AD Group, EAP Type and to return authentication status of "passed" to the Aruba controller. It can also send an attribute along with that positive authentication back to the Aruba controller
Optional
2 A server derivation rule in the Aruba controller to process to attribute to put a user in a role.
How you write#1 depends 100% on your radius server.
Please see this article for how to do it on a Microsoft Radius Server: http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/How-do-I-configure-an-Aruba-controller-to-use-AD-groups-through/m-p/2501/highlight/true#M552
Here is an article to see what radius attributes are send to your Aruba Controller from your radius server: https://kb.arubanetworks.com/app/answers/detail/a_id/826