If you have MPSK deployed, you might be able to do what you try by working indirectly with attributes in other authorization sources like the endpoint database or the guest device database entry.
As the MPSK is bound to a device, you can assume that the correct MPSK is used for that device. If you are looking to have different roles depending on the PSK entered, that doesn't work like Tim mentioned as there is only one single PSK that will be accepted for that device. What you still can do is return roles depending on the device, or profiling information, and so on.