No. Keep them in the same service. We will send a different Enforcement Profile that will send a different role, depending on whether it does EAP-TLS or not:
On the controller:
Make sure you have two roles set aside for your two different types of users. You will not need any Server derivation rules in the server group, because we will send an Aruba VSA (Aruba-User-Role) with the name of the Role from CPPM and that will automatically put the user in that role.
On CPPM:
1- Go to Configuration> Enforcement> Profiles.
2- Click on Add Enforcement Profile
3- Select Aruba Enforcement Profile and Name the Profile after your first Aruba Role (for TLS/Certificate) users). Click on Next and in the Attributes Tab, fill in the Value box with the name of the Aruba Role that you want to send back for Certificate (TLS) users. Click on Save.
4- Select Aruba Enforcement Profile and Name the Profile after your Second Aruba Role (for PEAP/Username and password users). Click on Next and in the Attributes Tab, fill in the Value box with the name of the second Aruba Role that you want to send back for PEAP users. Click on Save.
5- Go to Configuration> Enforcement> Policies. Click on Add Enforcement Policy. Name the policy Encrypted-Users. Click next and Under the Rules Tab click to add a rule that says : "Authentication Outer Method Equals EAP-TLS". Under the Enforcement Profile portion, select the Enforcement Profile you created in Step#3. Click on Save.
6- Add Another Rule. Click next and Under the Rules Tab click to add a rule that says : "Authentication Outer Method Equals EAP-PEAP". Under the Enforcement Profile portion, select the Enforcement Profile you created in Step#4. Click on Save.
7-Go into Configuration> Services and Edit your Service. Under the Enforcement Tab, Select the Enforcement Policy you created in Step#5.
try that and let us know if it works.