Hi,
For basic username/password authentication, you will need EAP-PEAP, you can also do EAP-TLS, since no extra configuration would be required on NAS (switches).
For Onguard, Radius Change of Authorization is mandatory if you want to change the user's role or Vlan during post authentication.
Then comes the requirement to install OnGuard on the client machines. In this case either you can manually do it (through AD GPO etc) or some other automation tool, if that is not possible and you want to redirect them to a web page and instructing them to download the onguard plugin, for this you need Captive Portal redirect.
Can you tell me which dell switches you are currently working on? i think 15xx and above support web redirect and CoA (need to confirm though).
For netgear i am not sure since its SMB.