Figured it out. Networkmanager requires the auth mode to be TLS with user, not just TLS and key password. It will not prompt the user for a login (at least in gnome shell) but instead just time out. This is contra the official clearos documentation, so someone might want to look into that. The doc also has instructions for a deprecated version of the windows client, which uses a different import and setup method.