Is it normal for AD authentication to generate a lot of ICMP traffic?
There really shouldn't be much ICMP traffic during a typical client logon to AD. It is really only used for slow link detection, and it's hardly enough to trigger an ICMP flood alert on most sane IPS systems.
Do you have any logon scripts that have ping loops to make sure that servers and the client network link are up before accessing network resources? That's a pretty common trick, and could cause the behavior that you're seeing.
Perhaps your AD server is also your DHCP server?
It is common for a DHCP server to ping addresses before offering them up as new leases.
http://technet.microsoft.com/en-us/library/dd380200(v=ws.10).aspx
However, this shouldn't generate too many packets. (Though if you have very low lease times and a lot of turn over, it could show up.)
You might be seeing the slow link detection that group policy does. It will transmit very large icmp packets that end up getting fragmented to determine if the user is logging in over a slow link or not.
Check out:
http://support.microsoft.com/kb/227260
and
http://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx