Andrea:
All the work will need to be on the client side and the ClearPass side.
Here is the minimum you need to be done:
- The IAP just needs to be setup with WPA2-Enterprise and Point to the ClearPass as the Radius Server.
- The client needs a user certificate generated by a certificate authority (that CA can be the built-in onboard CA).
- Clearpass needs to have a service configured with the EAP-TLS authentication method AND have the CA certificate that issued the client certificate in its trusted CA Store.
That is all you need. There is no AD tie-in required or needed. You can configure authorization on the EAP-TLS authentication method so that the username on the certificate is checked against AD to see the user account on the certificate still exists in AD, but that is optional. You should work on getting the minimum done, first.