We recently implemented 802.1x in our environment and have just noticed an issue. When a user updates their directory password, instead of the Mac prompting the user for a new password, authentication fails with an obscure message, see attached.
We have Meraki AP's and we are using Foxpass radius server which delegates authentication to OKTA. I'm not sure if this set up is a factor.
If I manually delete the Keychain entry, the authentication prompt comes back as expected and I am able to enter my updated password and connect as usual.
Look in the user's keychain and clear any entries related to your SSID. You can't script this removal, as the user's keychain is secured and not accessible even as root. You can, however, delete the user's keychain.
I've been dealing with this issue for years. I've just made sure to plaster all password change notices (before and after) with instructions on how to fix keychain. I'd love a more automated solution.
It is scriptable, just not (easily) in the context of the root user. Since Jamf Pro runs scripts as root, you can use
sudo -s $3 -c "command goes here" to execute something in the context of the user account passed into Jamf Pro (via Self Service, etc.). We used to do that fairly often to clear out Keychain entries for our non-Kerberized web proxy.