I believe that since the RADIUS embedded in Authentication Manager (Funk/Juniper Steel Belted RADIUS) is not a full licensed RADIUS server, this is a limit. Some might have some ideas on work-arounds, but I think you would need to put something in front of Authentication Manager such as a Cisco ASA in order to control Access with RADIUS attributes and profiles to that degree, where the user can be in different groups based on different RADIUS profiles for different RADIUS clients.
Maybe you can glean something out of the attached PDF, which Frank 'The RADIUS Guy' Miller wrote years ago, to return AD group information as a RADIUS attribute. Often we found that when multiple groups were returned for a user, many RADIUS clients could not pick out the needed group to grant access so gave the lowest access.
