Well, unfortunately Windows NPS supports RADIUS, so this is not really an ICX issue that can be fixed by Comscope or Ruckus but rather a protocol limitation. In fact ANY vendor including direct competitors such as HP/ProCurve and Cisco that login to NPS use RADIUS as well and have the same weakness. It might be better if it at least used PEAP, but I have never had that working outside of Wireless Authentication, which is another topic altogether.
If you want to do full credential encryption you might prefer TACACS+ or perhaps LDAPS /w TLS. Regardless, you are going to need something more robust than NPS.
What comes to mind is ClearPass and the Identify Services Engine (ISE). I am pretty sure NPS is being deprecated much like IAS was years ago.
Good luck.