Looks like users are part of both the groups and this is actually the default behaviour everytime ACS see that user is a part of first group in sequence it let the user fall in that group and will never check the next group mapping in sequence.
There is a feature called NAP, that could be quite useful. But that was introduced in ACS 4.x, you can't avail it in ACS version 3.2. NAP allow classification of access requests based on device belonging to a network device group, protocol, or other RADIUS attributes sent by the device the user is connecting through. In addition, authentication, access control, posture validation, and authorization policies can be mapped to profiles.Unfortunately, On this version ACS 3.2, we can't do anything.
You need to upgrade to 4.x
Regads,
JK
Do rate helpful posts-
~Jatin