Any guidance is appreciated.
Best answer by Ryan Yacobucci
An active directory object is not required for successful authentication when using EAP-TLS authentication.
When using EAP-TLS you set NAC to "Local Authentication" and install necessary RADIUS certificates and Trusted Authority certificates on the NAC itself.
NAC will provide it's RADIUS certificate to the client for validation, then the client will send it's certificate to the NAC for validation. As long as the AAA trusted authority certificate installed is the same certificate that signed the client certificate authentication will be successful.
There is no computer or user account necessary as EAP-TLS is not password based authentication.
The problem that you will run into is that without any AD objects it may become difficult to put these into authorization roles as since there are no AD objects we cannot utilize and AD technologies like security containters. LDAP lookups will not work if there are no objects in AD.
We can still use the CN of the certificate to provide an authorization though.