We regularly see problems with OSX laptops with dot1x authentication.
For OSX 10.6 at step 6 of http://www.cam.ac.uk/cs/wireless/eduroam/configuring-macos10.6.html when it says:
Then choose the 802.1X pane. Ensure the User Profile: eduroam
option is highlighted
that option simply isn't present, until the Mac is rebooted. Some of the other graphics have the options in slightly different positions but that is probably because Apple moved them in some random 10.6.x update.
The only change from the default OSX setup was to turn off auto-login.
Go into the keychain access and allow *everything* access to the relevant item - which is horrid but we have not found a better solution.
Without allowing the extra keychain access it will *usually* start to re-prompt for the eduroam password next time the machine is rebooted, or occasionally after leaving eduroam and coming back some time later.
A *guess* is that in some update Apple changed the set of processes which need to access the keychain item for dot1x, or there are timing issues relating to access of the keychain items.
If the chain is already unlocked/available then all works as expected, but after a restart the access is (sometimes) tried before the keychain has been unlocked and it falls back to prompting for the eduroam password...
With wired eduroam (but may occur with wireless also), in System Preferences/Network, you should see:
802.1X: WPA: eduroam <Connect>
However, sometimes the text "WPA: eduroam" alongside the "Connect" button turns into a selector, and when you drop down the selector there are multiple instances of this User Profile of which only one will work! You then need to click "Advanced", choose the 802.1x tab and delete the bogus profiles which (luckily!) are listed in the same order as they are listed in the selector. Nice work.