NAC with DHCP, Radius and dynamic VLANs

I try to set up a NAC in my environment to distinguish domain computers from guest computers with radius.
In my LAN I got the UCS domain controller and in the cloud is our JAMF server to configure our Macs.
When I set up a new Mac, it gets the whole configuration from the JAMF server (configuration for Active Directory and Radius certificates).
My idea is the following: A new Mac is in VLAN 100 (192.168.100.0/24) to reach the Internet but has no access to the internal network. After getting the Radius certificate the Mac authenticate and change itself to VLAN 200 with corresponding IP address (192.168.200.0/24). Then a user log in and this user is member of a group with VLAN ID 300 and the Mac gets a new IP from within this range (192.168.300.0/24).
If a guest Mac or PC connects to the LAN, it stays in VLAN 100 because not getting a Radius certificate and so it cannot access the internal network.
Is this scenario possible and how to do it? My switches support dynamic VLANs so it should be done within UCS.
Any help is welcome.

Mastodon