Hi,
Let's clarify all possibilities and you can chose one from there :-)
1) the Wireless Controller (WLC) can act as radius server. The feature is called "local eap". So the WLC authenticates the client (wpa2 if you like).
The WLC can use an LDAP database as user database. The only restrictions are that you cannot use "mschapv2" methods. So only peap-gtc,eap-fast-gtc and eap-tls. Of those 3, only eap-tls is present on the client default windows supplicant.
2) You can have a complete radius server like Cisco ACS. However the limitation coming with LDAP remains. Unless your database is Active Directory in which case ACS can integrate with it and allow for all eap methods.
3) If you go for WPA enterprise, that means you will authenticate users 2 times. One with dot1x to join the wireless and one with NAC afterwards to get network connectivity. Again if you have active directory, you can go with "single sign on" so that users never have to enter their credentials. Otherwise they will have to enter them twice.
Apart from that fact, NAC pretty much doesn't care if your wireless is open or dot1x-secured, it comes after the dot1x authentication anyway.
I hope this clarifies ?
Nicolas
===
please rate answers that you find useful