Only if your devices support EAP-TTLS/PAP or EAP-PEAP/GTC. These mechanisms allow the client to send a plain password to the server (TLS-secured).

The more common MSCHAP-based mechanisms, however, do not allow this: they are challenge/response mechanisms which require the server to already know either the plain passwords or specific format hashes (NTLM / MD4), and you have neither of those in /etc/passwd.

(There is also an EAP-pwd mechanism which specifically allows usage of crypt()-format hashes that /etc/passwd (actually /etc/shadow) stores – but its support is quite rare.)

To implement this, activate either the 'pam' module (which asks the OS to verify passwords) or the 'unix' module (which directly reads hashes from /etc/shadow).