Hi,
I have not tried AAA auth with a web-portal, only 802.1x + WPA2.
On all the sites we've done that, the AAA server is only reachable via a route in the controller, the AP's does not ask directly, but I think that is possible..
In all our setups, we don't use AD directly, but the Radius server in AD. Seems much more reliable, and you don't need to authenticate an AD admin on the box, just have shared secret setup.
There is a guide/article here on the forum somewhere, try search for it.