Hi Jaker,
The short answer is yes it is. The way I would configure it is that the AAA Profile is configured with MAC-Auth and Dot1x and an initial role of denyall. The denyall user role will prevent the client from getting an IP address until it passes authentication which is useful to ensure that even if you switch VLANs on the client based upon authentication, it doesn't have the IP from the initial role VLAN even after you changed VLANs. You would then write a rule on ClearPass that if the MAC is unknown then send it to a user-role on the MAS that is configured with a Captive Portal.
Best regards,
Madani