If you want to to 802.1x authentication (whether with client certificates or just username/password), you'll still need a certificate on the RADIUS/IAS side. This can be a cert purchased from a public trusted authority, one issued from an internal PKI (for example a Microsoft PKI), or a self-signed certificate. Either way, you'll want to either make sure your clients trust the certificate (can be pushed through AD if you use a self-signed certificate) or tell the clients not to validate the server certificate (typically not recommended).
I usually use makecert.exe to do self-signed certificates. You just need to ensure it has the Server Authentication purpose. A sample is:
makecert.exe -n "CN=dc.mydomain.local" -sr LocalMachine -ss my -r -pe -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e 01/01/2025
This will create the certificate and iinstall it to the Local Machine's certificate store; you can then reference it in your IAS policies.
Other options for makecert:
http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.71).aspx