Security

When you have caching enabled on AD authentication source, does it cache the password/password hash at all, or is the password checked against the AD every time a user authenticates towards a Radius service on the clearpass? (typically eap-peap)

I know group memberships and Authorization data is cached, but unsure about passwords.

Now regarding EAP-TLS authentification to wireless network. As I understand, the user account password is never part of the authentication exchange. Authentication is achived by verifing the key-pairs of the configured certificates, and the AD user account password is never exposed in the auth request to the 802.11x SSID. The EAP-TLS wireless would then never be responsible for a locked out windows account (to many failed auth attempts).

It is very clear to me that is have to work in a BYOD clearpass onboard deployment, but is that always the case even when windows domain computers are configured to use EAP-TLS?

Passwords are not cached.  Authorization can optionally do a lookup via LDAP to see if the username on the EAP-TLS certificate is still in AD to make sure the user has not been locked out or account disabled.

And I am correct in saying that the password is never exposed during EAP-TLS authentication?

Even on domain windows computers the password is not part of the auth exchange.

There is no password in an EAP-TLS exchange.  Correct.