Unknown username and password matching

[Dan Strong]

I'm trying authenticate users on to different networks but without their usernames and passwords.

Basically they input a specific psk on wireless and this then hits the radius and sends them onto a vlan.

So I have this working using DEFAULT auth-type = accept.

It's matching a Cisco avpair psk and vlan attribute, they get dropped on to a specific vlan. This works.

If I put the wrong psk in, I don't get on the network so this is good and expected. It's matching the Cisco avpair psk in radius.

Is there any way to have a 2nd DEFAULT and have it match a 2nd cisco avpair? So in essence it looks at the first and says no, moves to the 2nd set of attributes? Validates a different password and drops them on a different vlan.

I know I'm using default and it's matching anything, maybe there is another way? I don't want to match a sent username and password to confirm as this is sent as the devices Mac address which would be unknown to me.

Feel like this should work somehow but I'm missing something...