Thanks @marce1000.  I did follow a few guides I found and then thing is that EAP-TLS is working with a PSN joined to the cluster in Azure but is located in the lab.  My issue is when I point the controller WLAN to the PSN in Azure, auth fails.  We are also not looking up in Azure AD.  We are using copies of Preloaded_Certificate_Profile that will reference the CN or the SAN in the policies.  

My Deployment is like the foollowing:

PANMNT01 (Azure)

PANMNT02 (Azure)

PSN01 (Azure) - Failing on EAP-TLS

PSN02 (Azure)- Failing on EAP-TLS

PSN03 (Lab but joined to the cluster)- Working on EAP-TLS

@thomas Here are some screen shots of the various errors we see when the controller wlan is pointing to the Azure PSN's.  The thing is, I have another PSN that is not in Azure that is joined to the same cluster and that works fine.  I have the full chain imported in ISE and also making sure that the team that owns the device has the full chain of ISE in the trusted cert store.  Initially for the Windows 11, they only had the root CA as that has been working fine on all the old and test ISE cluster that I have.  We do have an mtu mismatch from our DC router tunnel to Azure VPN which we will have to address in January.

Majority of the Failure reasons are:

If there is an MTU mismatch, that is likely the culprit. EAP-TLS is very sensitive to fragmentation and the generic errors you are seeing are common when the supplicant drops the handshake due to fragmentation of the certificate chain. I would suggest doing a packet capture on the client to see what the EAP communication looks like to determine if you are getting part of the chain and then the session drops.
If you have the ability, you could also try dropping the MTU on the access switch temporarily to prevent the MTU mismatch along the path and see if that resolves the issue.

Tested today and set the mtu on the access switch interface vlan to 1300 and then 1000 and EAP-TLS was still failing.  I will test more after the holidays.

@wifievangelist I think this would not be an issue if MS didn't drop udp fragmentation.  The issue is that radius is not getting to ISE, and would be an issue with other vendors also. It is what it is and that was a fix from MS.

My answer is that this is a cisco forum not a microsoft one. I am here to see what cisco can do not Microsoft. And I suggested what cisco could have done, what is your thought on that?

@wifievangelist , also see a related discussion here:
https://community.cisco.com/t5/network-access-control/azure-packet-fragmentation/td-p/5205223

There are multiple levels of fragmentation involved and one of the problems is that the Windows native supplicant uses large EAP messages (1470 bytes), which forces the IP fragmentation. This is a hardcoded setting which cannot be changed.
The result of the fragmentation is that the last packet is smaller, leading to a faster transmit, and therefore received out-of-sequence.

See EAP Fragmentation Implementations and Behavior

Cisco has no control over the behaviour of the Windows native supplicant.

This issue is not present in other public cloud environments like AWS.

it doesnt make sense to me. Radius work based on access request and response. Lets say if the last rdius packet was smaller but, I wont send that until I get radius access reponse for a previous one anyways. So, that is not the case. It might be the case that the larget packets itself got fragmented along the path and due to platform limitations azure started dropping the out of order.

Other thing is even if the native supplicant sends this 1470 byte eap frame (when I was checking it was bigger than that), radius as a protocol can still engineer and fragment the eap frames from client machines while putting adding it as an AVP so that one radius packet will not exceed the certain number.

It is a simple question, if ISE when sends its certificate not resulting in fragmantation then why WLC sending will result? Because WLC cannot make it a smaller byte size when engineer the radius packet and cisco has to just say that it is a platform limitation just like MS acked their limitation.