I'm trying to setup a Config. Profile that will Authenticate a User via 802.1x before proceeding with AD authentication.
I've setup the Profile with "Use as Login Window configuration" added PEAP Protocol, Added the CISCO ISE Server's name Certificate Common Name.
When I login I can manually go to System Preferences Network/Ethernet and press "Connect" enter the user I've just logged in as and it connects fine. I don't know why it's not working from the Login window.
Here's what I can already tell you about the implementation I've done in my infrastructure, because it will be difficult for me to see your configuration on a case-by-case basics :
we have separated the certificate from the 802.1X LAN and 802.1X WiFi configurations, in different profile configurations, for long-term migration issues (renewal of trust authority for example), you can see my config :
CP-802.1X-LAN (without cert)
CP-802.1X-WiFi (without cert)
on my side we have a first machine authentication (with the certificate push before) performed to arrive in a temporary VLAN (192.168.1.1) before the user authentification, then we have the user authentication that allows us to access the appropriate VLAN (192.168.10.1)
for AD user auth to work properly with filevault and 802.1X, we had to do some customization :
- Disable FDE AutoLogin and change login display options (https://support.apple.com/en-om/HT207431)
- Bind the Mac (I think you might be able to do this part with a third party software)
Try to dig a deeper in that direction, if I could ever help you a little bit.