Thanks so much for the response. Perhaps the docs could be updated? Tech support told me it wasn't supported yet.
Regarding the problem, we are using a Pixel XL and Pixel 2. It's definitely not trying to join an open ssid. However, I just discovered a clue to the problem by looking at the logs on our Palo Alto firewall which is linked to Cloudpath.
Even though my Android 9 device has been onboarded and is using a certificate for 802.1x authentication to the encrypted SSID, some of the initial traffic through the firewall is blocked during roaming and initial connection. The traffic is to IPs associated with "
www.google.com". Per the logs, the traffic is blocked because the firewall does not yet have a user name associated with the device for policy matching on the firewall.
If I whitelist "
www.google.com" the phone properly connects to the secure SSID and is authenticated to the firewall with the username embedded in the cert.
If I don't whitelist "
www.google.com" then I need to click through the captive portal browser to get authenticated after roaming.
These problems only surfaced with Android 9. Prior versions did not require this.
I guess I could work around this by allowing a permanent exception to "
www.google.com" for my wireless network, but I'd prefer not to do that. Suggestions appreciated. Thanks!