1. you can utilize internal database or use NPS for this (or both :D)
2. You can try these:
- Create MAC based auth wifi, "initial role" and "802.1x role" set to denyall
- mac role set to "logon" (or new profile.. )
- edit logon profile, set to use captive portal (L3) profile.
- on L3, enable user login (username / password), set user role to "allow-internet-role", set authentication server to NPS
-Yopianus Linga-