I've just upgraded to ACS 4.1 and am using a Network Access Profile (NAP) to ensure wireless users are authenticated against a Windows AD only (we had issues with overlapping user names for token-based access to other systems). I've had to add the internal database to the sequence of databases searched for this NAP to permit statically configured infrastructure AP credentials (in the ACS internal database) to be used to allow APs to authenticate to a WLSM.
All of this works, but I'm struggling to understand some entries in the user list (see attached JPEG) which shows the internal user, and an uneditable copy of that user which appears to have been used by the NAP. It just looked odd the first time I saw it, and I can't find any documentation which explains the interpretation of the Network Access Profile field in the user list.