Hello,
the best solution is to have a RADIUS server.
Cisco ACS can authenticate trough the local database or do the lookup on AD if you link the unknown user policy to AD.If you prefer FreeRadius you can give a try to make FreeRadius talk to AD using Samba. Should work as well.