Yes, you should use RADIUS in favor of LDAP in most cases. The short summary is that LDAP (especially with AD) does not provide access to the user password which is required for MSCHAPv2 authentication. It is a design decision that Microsoft made, and I think they made the right decision not to allow access to user passwords.
You can use ClearPass to bind into your Active Directory, or if you are experienced enough configure Microsoft NPS on Active Directory to enable RADIUS in an AD environment.
In general, avoid LDAP from the controller but use RADIUS, avoid EAP-PEAP-MSCHAPv2 and use EAP-TLS for wireless clients. There are lots of moving parts with significant consequences of choices in such a design, and I would advise you to work with an Aruba partner to get a secure design.
I would capture the LDAP traffic on the LDAP server rather than on the controller.