@wifichallenges Do you have FileVault enabled on your Macs? If so there is no network connectivity from the machine after a restart until a user logs in because the FV login screen isn't running the full macOS, it's running a pre-boot waiting for a user to enter account credentials with permission to unlock the drive. Only once the drive is unlocked does the fill macOS load with the Configuration Profile you've pushed for 802.11x network authentication.

"sudo fdesetup status" reports that filevault is OFF on this test device i have.

I think maybe ill try another device see if it does it as well.

@wifichallenges If you're not using FileVault my question would be does the Network payload in the Configuration Profile you're deploying have the "Use as a Login Window configuration" option set?

I was able to get this working by setting the name of my setting my certificate subject to "CN=$USERNAME" and the RFC 822 Name to $USERNAME@domain.com. The radius server seems to accept this as a user authenticating and it automatically connects because it is a system cert. Perfect if you're using Jamf Connect Login.

I'm using the ADCS Connector though.

I set it, made no difference. However i think i have bigger problems as i reimaged the laptop and now it wont connect at all with the certificate...  I think i manually forced the connection previously to get it to work but i dont want to do that again. i want the config profile to do it all.

tried another laptop and used PEAP with a hardcoded username and password in the config profile and that does connect fine. Anyways i have a few months to solve this, before i give up and go hardcoded. Doesn't seem to be any way for a limited user to read the saved credentials, so that is good.

I'd have to make a new certificate template to do that i think. Ill think about trying it. However many people have got this working with normal machine based certificates. The ADCS connector seems to only be used for non domain joined devices, correct? Because i have no problem acquiring a certificate as the macbook is domain joined.

@wifichallenges It's been over 5 years since I worked in an environment that allowed 802.11x network auth at the login window, so my memory isn't exactly fresh. As best I can recall the login window configuration authenticated the Wi-Fi connection using the AD computer record for the Mac, and when a user logged in the computer authenticated connection dropped and a new user authenticated connection was established. 

The problem there is that users credentials authenticate them to a limited network only for BYOD. Corporate network access is restricted to certificate based only for tighter control of what people can bring into the environment. 

If they BYOD, they only get internet. So i dont think that will work for me.

Anyways i am going to keep plugging away at it but also i am going on holidays so i wont post for a bit. i have a few months to solve this before its really critical. 

I have the same issue. Recently, using Jamf Pro with Jamf Connect, the office Wi-Fi profile doesn't allow login; it just sits there and spins. I have to turn the WiFi off and use Local login. Then WiFi works fine; the profile (certificate and network payloads) is there, and authentication is seamless. We use Aruba/ClearPass, so I'm not sure what I am missing here so it works on the login screen.