You could do that, but it is very clumsy. If the kiosk manages to roam for whatever reason, the user will be logged out, because it will do 802.1x. and that will reset the initial role to Captive Portal.
We had a customer who tried to do 802.1x with MACs and then have the users login via captive portal, but on a roam, it would reset the user role to "logon" or captive portal and the user would have to login all over again. In addtion, the user would have to log out so that nobody reuses their session.
The question is, if it is a kiosk, who are you trying to keep out, or is there personalized content that you need to deliver to the user, that requires a login?