Why not just using EAP-TLS as the auth as-is, since you control the horizontal and vertical if the certs and CA (CA can sign your RADIUS server cert). Then just use some post-auth to pass request to your backend to work out what VLAN to return?

alan