Wats u teling exactly holds good for Autonomous Infrastructure not for LWAPP based.. in WLC (LWAPP) based.. its the WLC management ip is the AAA client.. RADIUS protocol runs between WLC and the IAS / ACS and between the AP and the WLC its LWAPP tunnel..
Here is the link which nat give some more info on the same!!
One more question on the same topic, I am using MS NPS server 2008R2. On the RADIUS clients ,should not I just need to add the WLC4402 only? Do I have to add all the catalyst switches and aironets as well to implement 802.1X EAP-TLS??
It is assumed you are using 802.1x correct? If so then it works like this:
In security/radius/authentication you must configure an ip address to where your clients will get a user certificate (only one example of many ways you can configuration) also there needs to be a pre-shared key that matches one entered in authenticating server. For instance it's "password" then both radius server and wlc need to have exact same key.
So basically your wlc will push wifi clients to radius server to get authenticated and once it confirms user is in all proper security groups in AD it tells controller user is okay to access network. Obviously it's more complex but this is a general overview.