I dont think you can currently do this, but I think it would be cool to have the ability to dynamically change the role for the connected device based on its fingerprint after authentication happens. Think of this like chained firewall rules.
Roles would be chained like this:
[OS/Device fingerprint]
[Radius Role]
Or better yet, allow more information to be populated in the internal database during radius authentication so you can send say filterID and group...
then you could have
[OS/Device fingerprint]
[Group Role]
[Radius Role]
They would all be chained together with a deny at a higher level taking precedence. Similar to how firewall chains work in most firewalls...