This is not possible because we are encrypting the traffic. A failed auth on WLAN 802.1x cannot failback to an initial role with a captive portal. This IS possible on a wired port because there is no encryption. You CAN use a provisioning SSID or use logic within ClearPass to pass back a role with a captive portal however, the initial attempt must use valid credentials.
IF the issue is configuring the supplicant, then you can "host" the quickconnect package on any URL and make sure employees download it before connecting to the SSID.