I'll assume since you are using a MS Radius server you are going to try to do PEAP or EAP-TLS since I believe these are the only EAP types that server supports. Assuming that, yes you will have to have certificates installed on the server but not on the AP. Depending on which EAP type you choose and how you configure the supplicant you may need certificates on the clients too.
On the AP side you are currently setup to only do LEAP authentication for NUPCO-LAN. You need to change "authentication open" to "authentication open eap eap_methods2" if you want to support any other types of EAP.