Even disabling TLS 1.0 in cluster wide parameters (ALL) can have wide impact in unmanaged mac environment (college student owned), as I have found out today. Older Macs and Windows 8 could not connect to 802.1x peap even with re-adding the network. It broke on 10.12.6 and didn't break on 10.14. Not sure about in between those versions. As soon as I rolled back the setting on clearpass, most clients reconnected automatically. Some clients needed to forget network and re-add after I reverted the clearpass setting.
Looks like I'll be updating the stated minimum requirements documentation for new student macs and hope to make the change in the summer.