On Secure Stacks "Protected Port" is available for client isolation. This can be also combined with NAC dynamic vlan assignment. (Not tested really but feature description sounds very good.)
Compareable Features on S-Series and EXOS are needed.
Private VLANs is not a solution because private VLANs needs static VLAN and Port configurations, so dynamic VLAN assignment via RADIUS / NAC is not possible.
Any solution available ?