You can do it with either solution you choose, with Radius either ACS or IAS will work as long as the proper attribute is chosen, downladable ACLs are easier to configure on ACS but you can define VSAs on the IAS to define these.
On the ASA you can define this locally by creating VPN filters and applying these filters to a group policy, then based on the user attributes (locally on the ASA) you can assign users to specific group policies where the filters are defined. HTH