I am only guessing here, because I do not know your deployment:
In the EAP-TLS method, there is an option to ensure that the "user" in the certificate actually exists in active directory. What field you actually compare to a user is also configurable in the EAP-TLS method. It is a way to ensure that the "user" that the certificate was issued to actually exists. When you turn this on, you need to make sure that the right field in the certificate is compared against the user, otherwise it will not work. You can turn this off and as long as the certificate has not expired, it will allow the device to get on.
EAP-TLS quite frankly can be very involved, so I am only speaking generally.