802.1x Login Window profile fails because it "can't prompt for missing properties"

Question

I'm trying to configure a TTLS 802.1x Login Window profile on OS X 10.10.1 Yosemite.

The profile has been installed (via MDM) and the login window now shows (above the username/password input boxes) a dropdown from which the 802.1x profile can be selected; furthermore, when a user attempts to log in, 802.1x authentication is attempted.

However, that authentication fails; having enabled supplicant logging, I see the following error after the TLS tunnel is set up:

EAP Request: EAP type 21
Authenticating: can't prompt for missing properties <array> {
  0 : UserPassword
}
set_msk 0
Supplicant (main) status: state=Held

...but I had thought that the whole point of Login Window profiles was that the username and password used for 802.1x were those provided by the user at the login window!

What's going on?

---

UPDATE

It seems that the selection of an identity certificate in the network payload was causing OS X to ignore the user credentials provided at the login window.

Is there any way to use a (system-wide) client certificate during the TLS handshake, but also use the user creds from the login window for the inner/tunneled authentication?

Answer 1

I can't find any documentation on this, but my understanding is that it's possible to combine System and Login Window authentication. Essentially, you'd include two different 802.1x payloads in your MDM profile, one set to System mode with the client certificate, and the other set to Login Window mode without the client cert.