I have a question regarding Identity Awareness and iPad devices.  So our scenario is we have several networks each with iPad devices in them.  Not static IP's.  They authenticate to our wireless network via EAP-TLS on a Windows NPS RADIUS server.  When it comes to internet access, since these devices only use an object in AD with a certificate name mapping applied to to authenticate it, it's not recognized in IA with that AD object.  So there's not IA/authentication being performed on the iPad devices for internet access.  I'm trying to avoid using captive portal as i'm trying needing these devices to hit specific rules that allow them to communicate to icloud and other apple services that the rest of the network doesn't need.  

So my question is, is there a good way for Identity Awareness to be performed on an iPad device outside the captive portal?  Is there an Identity Agent for the iPad OS?  

I also attempted to see if the RADIUS Accounting option was an option but i'm not sure I understand how the IA RADIUS Accounting option works.  Maybe someone can enlighten on it. 

I initially assumed that the gateway would look to the RADIUS Accounting server/logs to match an identity.  Since my iPads already authenticate via RADIUS on the NPS server that perhaps the gateway would look to the Accounting logs and assume the iPad identity?  That doesn't seem to be the case.  So i'm not sure how to get RADIUS accounting to work with IA.  I can't find much in the admin guides about this setup/scenario where the RADIUS accounting option would be used in IA.