Hi
I have just had the opportunity to deploy this very scenario.
Yes, as you say, you need IETF Radius Attributes 64,65 and 81 enabled for Groups. The you need under Interface Configuration, Advanced options to makes rue that you have ticked the following:
Per User Tacacs+/Radius Attributes
User Level Network Access Restrictions#
Group Level Shared Network Access Restrictions
Group Level Network Access Restrictions
Then the 64,65, and 81 Attributes show up in the Group Setup section. Check these and then for either Tag 1 or Tag 2 (you can change the default to see more tags) choose, VLAN, 802 and then a VLAN ID number in each respective section. Do this for each VLAN group you want to deploy.
Then, External User Databases, Unknown User Policy, check external databases to verfiy your domain/s AD, then in Database group mappings, create a profile for each of your domains, assigning a particular NT/2000 user group/groups to a particular ACS group, which tne maps to a particular VLAN (the Radius attributes stuff above)
That should just about do it!