I am not aware of the possibilty to create a “splash-page” with RADIUS authentication.
There is the possibilty to use 802.1x and promtp users to type in their AD credentials when connecting to the SSID. If authentication is rejected you will not be able to connect to the SSID at all.
This is done using a Windows NPS server, see guide below:
Edit: This applies to cnPilot AP’s, I see now that you have Xirrus AP’s. Not sure if the same applies for Xirrus.