In the stickied kb article (link) it states:

" When the client connects to the SSID, EAP uses the MAC address of the client (in the format "xx:xx:xx:xx:xx") as the RADIUS User and User-password, the submitted PPSK as the Tunnel-password and submits the information to the RADIUS server for authentication. "

So the way it seems to work is: the Omada EAP submits the MAC address of the client as the User and User-password to the RADIUS server, the radius server responds with what the PPSK should be in Tunnel-password, and then the Omada EAP compares the two and authenticates the client if the two match.

Instead, is there any way to send the submitted PPSK to the RADIUS server for authentication, and then the RADIUS server can respond?

My goal is to have one SSID and depending on the PPSK entered authenticate clients into different VLANs. This seems to be possible by using PPSK without RADIUS, but I'd like to authenticate clients using an existing database, so either RADIUS or using PPSK without RADIUS, but calling an external api to authenticate clients using the PPSK (like how the external portal server works).