Hi Marcelo,
RADIUS allows you to specify VLAN for each user. In your example, you will need to create a user account for each contractor, specify the VLAN for the contractor, and have them connect to your network through 802.1x authentication. You can then set a rule in LAN enforcer with HI and Profile "Unavailable" and EAP "Pass", and then set it to "Open Port". When the contractor passes the user authentication, RADIUS will instruct the LAN enforcer which VLAN the user should be put into, and the LAN enforcer will then forward the information to the switch.
With this implementation, you are still at risk with your network since you don't know if the unmanaged endpoints meet your minimum security policy. In August/September time frame, we are going to release a guest solution for this situation. The guest solution contains a dissolvable agent so unmanaged endpoints can download the dissolvable agent, have HI policy check on the endpoint to make sure the endpoint is compliant before allowing it onto your network.
Mandy Pang
Product Manager, SNAC
Symantec Corporation