Hi,
we have it running the same way. But in our case the most PC users are Domain users.
In your case I think you did everything right for the first view. You use PEAP (MSCHAPv2)
1- Important is that the client trust the certificate. If not windows PC`s normaly will not work, on my MACBOOK I can say ok I trust it (after a popup)..
2- The Client supplicant must be configured for 802.1x
3- If the client is not a Domain user, the integrated authentication will not work and the user got a information that he need to log in or more credatils are necessary (a small balon info in windows). He will get a window where he can insert the necessary credentials like domain/username and passwort.
This is how it work in our enviroment and lab. If you need detailed informations, just let me know..
best,
Sebastian