1. Problem is both are authenticating against same server. both are in different group. but we need to differenciate the two radius request to validate them against two differnt user-group.
2. you can use ARUBA-ESSID attribute on the radius request to differentiate the users
say User connect to student SSID --> radius req will have essid as student--> Create policy in the radius server that if aruba ESSID == student then check if the username belongs to student group.
3. Another way of doing it is using NAS -ID.
Create 2 radius server on controller, with same IP and key. but differnt NAS-ID,say student and STaff. map it to differnt servergroup and to the aaa profile.
So when student tries to auth, he will carry NASID as Student on radius req. SO create a policy in the radius server that if the NAS ID = student then cehck for user in student group in AD.
Hope that clears your query. ALso let me know the case number with TAC and i will review it.