Hi MIchael,
there's several ways you can accomplish this. With 2 tunnel-groups (connection profiles in ASDM terminology) and 2 group-policies the Radius server can push the "group-lock" attribute to deny access if a user connects to the wrong group.
Alternatively, create just a single connection profile, and 2 group-policies. Then have the Radius server push the group-policy name in the Class (IETF #25) attribute.
Since you mention memberOf I presume your Radius is actually using an LDAP back-end? In that case you'll need to configure it map the memberOf LDAP attribute to the group-lock or class attribute somehow.
Another solution would be to have the ASA authenticate directly using LDAP and configuring an LDAP attribute map (on the ASA) to map the memberOf to a group-policy.
hth
Herbert