Colin, I know about ClearPass, and that is part of this. The idea is to have only a subset of users (my department) using CP for EAP-TLS and have the rest of the population continue to use IAS for EAP-PEAP.
These users can associate from anywhere, so can't use geography (ap groups) to differentiate.
Can't use arubaOS to differentiate between TLS/PEAP.
Usernames are the same on PEAP and TLS so can't differentiate there.
No domains are used, so can't separate based on realms.
The point is to trial ClearPass without having all auth go through there. But, doesn't look like there's another option, given the requirement to continue having mobility for the TLS users.