I’m able to authenticate with the ONT using the dot1x 802.11x support on my CCR1009, just took disabling CRL, setting both the identity and anonymous identity to the MAC on the certs and then importing the entire cert chain. Probably can enable the CRL if the supplemental certs are there, not sure.
However… I cannot get dot1x to work on a bridged interface! This is necessary as that’s how I strip the VLAN 0 tagged frames due to the 802.1p priority being set. It stops after the EAP exchange for identity, before the certs start flying over the wire.
You can see and pile on to my post regarding that specific feature being broken here: http://forum.mikrotik.com/t/802-1x-dot1x-client-not-working-when-interface-is-on-a-bridge/131984/1
Once fixed or a workaround is found, it should be possible to have a complete solution without a switch chip and without having the RG even plugged in.