To expand upon the existing replies. It seems your Captive Portal authentication profile is likely using the same server group as your secure 802.1X network (or atleast it is using the same servers). You have a couple of options to consider.
The username and passwords you are giving out to legitimate guests, where do these accounts exist? If they are on the controller, make sure the server group assigned to the captive portal profile only has Internal DB defined and does not have your enterprise servers. If the accounts are on the Radius server or in AD internally, then you'll need to make modifications to the authentication policies on the Radius side. For example, if you are using NPS, you'd have to setup two Network Policies; one for Guest access (with specific conditions and supported authentication types) and one for your Employee network. Aside from the supported authentication types, you could narrow down the conditions so that to match the Guest Network Policy the user account must be in a certain user group or setup a unique NAS-Identifier to differentiate the request (discussed in some posts on this forum; including here) . If you use ClearPass, similar conditions can be set using multiple services.
Before we can say for sure, can you:
1) Confirm whether the server group defined for the Captive Portal profile does contain your Radius servers for 802.1X authentication
2) Confirm where the legitimate guest accounts are created and reside; if they are in AD, are they assigned to a specific user group?
3) Tell us what Radius server you are using