https://www.arubanetworks.com/assets/ds/DS_ClearPass_Onboard.pdf
Clearpass would replace your NPS and onboard is one of its modules.
1) For EAP-PEAP your clients need to trust the server certificate.
If you use a publicly signed certificate it realy depends on their trust list. Not every device has every (ior even any) trusted CA listed.
2) For AD clients you would preferably use GPO's to distribute the network settings to your clients. Also distributing your trusted CA to AD clients is something that can be done within AD.
3) not sure what your question is here.
- Looking at the screenshots..
@kts is almost correct. Yes you want to click the Add button and add PEAP like in his second screenshot.
Howver, for EAP-PEAP Mschapv2 you must not check ANY checkboxed under "Less secure authentication methods". So do NOT check MS-CHAP-v2 or MS-CHAP here!
For guest users, I realy have to agree with @Herman Robers, do not use 802.1X for them.
I think you need to take a step back here and look at and explain what you are trying to achieve.
I see you mentioning guest users. What kind of guests are they? Are they visitors that just need internet access? If not, what kind of access do they need?
Why not simply use a captive portal authentication for guests?
For true guest users NPS is realy limited. I wouldn't want to create AD accounts for guests. I would rather use a controllers internal db to authenticate those if Clearpass was not an option.