What kind of switches do you use?
For Cisco you can do something like this:
interface GigabitEthernet1/0/35
switchport access vlan 100
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1
spanning-tree portfast
!
MAB is the key there - as it's mac address bypass - which in essence is mac-auth.. So on failed dot1x it will do mab, and here you will return the attributes from Clearpass which triggers the redirect-acl. Once redirected and authenticated, you use Radius CoA to change the ACL for the client.