Tim is still pointing you to the machine authentication part of the solution to this. page 33.
if you use machine authentication and enable the corresponding section on the controller dot1x profile (i believe) then you can exclude non domain joined machine (i.e. smartphones, tablets, ...) from authentication on your SSID.
that is pretty much the only thing you can do with NPS. with ClearPass you get some extra options. but this remains a tricky thing to work out.