When you have caching enabled on AD authentication source, does it cache the password/password hash at all, or is the password checked against the AD every time a user authenticates towards a Radius service on the clearpass? (typically eap-peap)
I know group memberships and Authorization data is cached, but unsure about passwords.
Now regarding EAP-TLS authentification to wireless network. As I understand, the user account password is never part of the authentication exchange. Authentication is achived by verifing the key-pairs of the configured certificates, and the AD user account password is never exposed in the auth request to the 802.11x SSID. The EAP-TLS wireless would then never be responsible for a locked out windows account (to many failed auth attempts).
It is very clear to me that is have to work in a BYOD clearpass onboard deployment, but is that always the case even when windows domain computers are configured to use EAP-TLS?