We have some voip phones that we want to integrate into our PEAP WiFi network, and I'm concerned about just creating a standard AD account and using that. If someone got hold of such long-term account credentials, they could then use them to log into hosts and access network resources
There are some policy/setting options for locking down local access, but they don't apply to network access. eg the "Log On To" option allows you to limit what machines an account can access, but a WiFi access point talking to a NPS/domain controller appears to use the host "" - ie it doesn't set that variable. That entire solution appears to only work against domain-member Windows computers - so wouldn't help if the user came in from a Unix/Mac system for instance (or PEAP of course)
This can be expanded to a more general question about how to use Active Directory for non-Windows authentication (eg LDAP). I haven't seen any real answers and so fear it may not be possible - but you've gotta ask right? :-)
The way I addressed this (and I'm not saying this is "industry standard" or "best practice") was to create a single account that they could use (like a service account), put it in a group created just for this (and used in NPS for policy matching), make that group the primary, and remove them from Domain Users. That way, even if someone managed to get the password, they would only get access to anything using "Authenticated Users", which we don't use at all.
In the event we find that the account has been compromised, we would simply create a new account with a new password, change the phone startup config file, and once all the phones got the new settings, kill the old account.
As to using a non-Active Directory user database, it can be done, but you'd have to add a non-NPS RADIUS server. I tried for a long while to get a Ubuntu server with FreeRadius to do it, but it ended up taking too much time to learn how to integrate it properly, so I went back to NPS. NPS has a way to specify that for given criteria, it should pass off the request to an external RADIUS server, so it's definitely possible.