NPS 802.1x Authentication with MAC filtering for VLAN assignment

We have a wireless network that is currently supporting both domain joined and non-domain joined machines using 802.1x (MSCHAPv2) for authentication.  This is working well however now we want to start to segment off BYOD technology into another VLAN for security.  How I would prefer to do this is keep using the same SSID and 802.1x authentication however I want to use MAC based filtering to classify a machine as a BYOD machine or corporate owned.  So for example what would happen with a normal corporate device is that it would authenticate via 802.1x and the MAC address will be looked up.  If the mac address is found then it would be put in VLAN 1.  In the case of BYOD the same 802.1x authentication happens but the MAC address lookup will fail and the client will be put in VLAN 2 for BYOD.

I know I can do something similar with http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx but we support lab systems and shared devices so any user can use any device.  I also know NAP may also be close to what I want but many of our devices are not NAP compliant which would result in too many devices being filtered into remediation.  I also may be able to get by in the short term by doing a match on the domain name in the username field because in most cases users will not fill in a domain qualifier on their personal devices but again it runs the risk of users being able to switch back and forth between networks.  And of course we could do something with DHCP to an extent but that would not really provide any type of secure isolation.

Does anyone know if this is possible with NPS directly or via 3rd party tools?

Thanks.