The full configurations will vary depending on how you want the NPS server to respond to the requests. I typically have customers create two network policies (or more) for this.
**The following are generic recommendations, I do not know what current conditions you have set for your policy are.
The first would be for secure 802.1x authentications; which you have confirmed you have working.
The second would be for captive portal logons. There would be a couple of changes. At a minimum, the supported authentication type woudl be PAP, not PEAP/MSCHAPv2 as you have for your secure wireless policy. If you need to be more restrictive (for example members of only certain groups can use the captive portal page) you can add additional conditions.
Again, this is not a detailed setup; but if you duplicate your existing Network Policy and change the supported authentication type, that shoudl get you started....you can then work on firming up your conditions for the policy's application. If your current secure wireless policy is returning attributes to the controller (user-role or VLAN for example); you may need to remove or alter these to meet your needs.