In case of Apple devices this information is stored in the user's keychain.
That *should* mean it is stored encrypted and it *should not* be extractable.
Generally it is a better security practise to use seperate certificates for 802.1X (EAP-TLS) instead of using Active Directory username/password for 802.1X (PEAP EAP-MSCHAPv2 or EAP-TTLS PAP/MSCHAPv2). That way, if the device gets compromised or the NT-Hash gets compromised, the username/password is not leaked.