I have found two possibilites neither of which are very sexy.
The first is to fiddle out the realm name from Acct-Session-Id ("-userid-(realm)...")
The second is to create a separate authentication server for each realm (even if the auth servers do the same thing) and work with NAS-Identifier.
Is there another possibility that I am missing? Cisco ASAs for example transmit a simple attribute called "ASA-TunnelGroupName" which includes exactly that.