How does your radius response look like?
I think the response could contain several occurrances of the same key, just like your example with the Vasco server and the intern and extern VPN.
Actually, what do you need in the Firewall.
You can also set a distrinct filter-id based on some regexp in your privacyidea response attributes.
I had a cool video explaining all this. Never published it since the image was too choppy.
Maybe I should nevertheless…