Assuming you have the coverage you need with one AP per floor, yes, it's certainly possible.
Set up two VLANs, assign an SSID to each. Set up your L3 switch for trunking the two VLANs. Forward the traffic from your guest VLAN to your Internet Gateway device, Send the traffic for the internal network to your network gateway device (putting that VLAN in a DMZ would be a good thing.
Put in some ACLs for good measure, establish whatever encryption you feel appropriate, and you're good-to-go.
The MS IAS can only handle PEAP, EAP-TLS, EAP-TTLS, and (probably) MD5. Using MS-CHAPv2 for internal auth is recommended. Microsoft has some pretty good white papers on setting all of this up on their site.
Good Luck
Scott