Thanks for the reply.
First, adding an else to the if statement doesn't really help. As that is in the authorize section that simply queries AD via LDAP to check for groups of the user. It uses an admin DN to bind and query, not the actual user credentials (as this is a PEAP) request. So I actually need to set that attribute in the authenticate section when I determine that authentication had failed.
All that being said, I was unaware of what you stated in your second paragraph. I did test that though. I just always return ACCEPT - ACCEPT when the calling station ID was from the wireless controller. Even when I provided wrong credentials radius returned ACCEPT-ACCEPT which indicated to the controller it was successful and the user was able to get on WIFI (just the wrong VLAN because LDAP found the user in a specific group and assigned that VLAN).