I'm sure there's some way you could rig it up with your RADIUS server, but it'd be a hassle. The trick would be getting the RADIUS server to respond with a unique VLAN for each user that connects.
The controller performs stateful firewall inspection and it can deny inter-user traffic as Tim pointed out. Using roles and firewall policies, there shouldn't be any need to use VLANs for separation, unless PCI compliance is necessary.