So my understanding with EAP-TLS is it doesn't very the user has an active AD account as part of authentication, it only looks at the validitiy of the certification.
Can you still pull the username from the certificate for authorization purposes? So we can still write policy that says "If user = memberof HR" assign VLAN 10?