I'm using steel belted radius (very similar to freeradius) and I've been tasked to use radius to segregate two wireless networks. We're broadcasting 2 SSID's and the gear can choose which radius server to authenticate to. Downside is I only have 1 radius server so both go to the same location. I was hoping I could setup profiles based on different shared-secrets but we only have one wireless controller with one IP and SBR can't have more than one profile with the same IP.

The goal is to have one company connect to one SSID and another company to connect to the other. If someone tries connecting to the wrong SSID radius would check their EAP certificate with AD and reject if the certificate is for the wrong OU/company. The querying AD and certificate is easy, getting it to return based on the SSID is my sticky part since radius doesn't see a difference. Same IP, same profile, just returns success or fail.

Without adding another radius server is this possible?