In theory NARs should work for you - depending on what the ASA sticks in its authentication request.
For layer 2 authentications ACS applies CLI/DNIS NARs. Traditionally with dial the AAA client would put the calling number and called number into the RADIUS attributes: Calling-Station-Id and Called-Station-Id respectively.
With 802.1x devices stick the MAC address of the endpoint into Calling-Station-Id.
If the ASA does this to you can create a CLI/DNIS NAR just for this user (in the user record) that has a single permit entry:
AAA Client = All AAA Clients
Port = *
CLI =
DNIS = *
Note that user level NARs need to be enabled under interface config first.
Darran