802.1X Management on the command line
Solution 1:
With EAP-TLS, manipulating certificates, identity preferences and a single password entry all in keychain access can be done from the command line.
Something like:
security import ${PK12} -A -x -k login.keychain -P ${PW}
security set-identity-preference -c ${CN} -Z ${FINGERPRINT} -s com.apple.network.eap.user.identity.default
security set-identity-preference -c ${CN} -Z ${FINGERPRINT} -s com.apple.network.eap.user.identity.wlan.ssid.${SSID}
security add-generic-password -a ${USER} -D "802.1X Password" -l Default -s com.apple.network.eap.user.item.default -T /System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient
security add-generic-password -a ${USER} -D "802.1X Password" -l ${SSID} -s com.apple.network.eap.user.item.wlan.ssid.${SSID} -T /System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient
com.apple.network.eap.user.item.default and com.apple.network.eap.user.identity.default are for wired 802.1X.
com.apple.network.eap.user.item.wlan.ssid.${SSID} and com.apple.network.eap.user.identity.wlan.ssid.${SSID} are for 802.1X on wireless SSID ${SSID}.