This bug/feature from fix Bug 55757 allows users to login with their mailPrimaryAddress but the rest of the record isn't returned and so dynamic Vlans are not assigned.  Ye sI'm modifying the /etc/freeradius/3/0/sites-available/default file but we assign vlans on a hierarchy since many users belong to multiple groups.

Example snip from the post-auth { section of the file:
                }       
        if (Group == "School Admin") {
                update reply {
                        Tunnel-Type := "VLAN"
                        Tunnel-Medium-Type := "IEEE-802"
                        Tunnel-Private-Group-ID := 35
                }       
        }
        elsif (Group == "Teachers") {
                update reply {
                        Tunnel-Type := "VLAN"
                        Tunnel-Medium-Type := "IEEE-802"
                        Tunnel-Private-Group-ID := 45
                }
        }

In our school some school administrators do teach a class or two.  But they belong to both groups.  This works as expected when logins happen via ldap.