Certainly possible using captive portal - we use it, and I'm not aware of any requirements for a certificate.
As far as I remember, you just put your NPS server in the profile. I believe it defaults to NPS/RADIUS if user is not in the local database.
We offer a guest account that is rate-limited (in the local DB) and our other users just use their network credentials.