By default ACS has peap and eap-tls authentication enabled and is part of the proposed eap types. Just remember that the certificate will have to uploaded to the ACS trusted certificate store, and once you configure the certificate authentication profile, you can map that into a Identity Sequence store, so that ACS will check the cert, and if one isnt provided it can fall back to password authenticate against AD.
Thanks,
Tarik Admani
*Please rate helpful posts*