hello

I am having problems with my NPS system. I set this up and it works perfectly with a windows 10 laptop so a nice authentication and aceptation for my laptop resulting in it getting into the right vlan. Then I asked a colleague if he wanted to test it as well. This was with a windwos 11 laptop and this did not work. After long googling I found that is a known problem and can be solved in different ways. The way we used is to select via a GPO that at dot1x authentication should look for the domain controller and use these certificates . After pushing this this setup works with both windows 10 and 11. A 2nd solution is to disable credential guard on the windows 11 laptop then authentication also works well.

Now here is my question. The problem was also without this adjustment on the windows 11 laptop it never had internet it keeps getting stuck in the authentication process so it gets both no accept and no reject. See photo. This caused it to have no internet. How come the switch did not use the command timeout and then put it in a guestvlan/failover vlan 88? Is there a solution for this

interface GigabitEthernet2/0/48
description Access-LAN-Dot1x
switchport mode access
authentication event fail action authorize vlan 88
authentication event no-response action authorize vlan 88
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable

The reason I want to get this working is because if people from our company need to authetnicate to the internet it is not a problem now because they are using the pushed gpo that makes sure authentication works on Windows 11 and 10. But I would also like someone external to be able to connect to the internet. Then authentication rejected and placed in the guest vlan. But right now on windows 11 a person would not get internet. It doesn't seem like an option to me to have to disable the credential guard every time someone external wants to connect via cable. All solutions I have found for this problem are client side solutions. Are there any server side solutions for this?

This is a picture of the wireshark capture of the client. The first two captures (Blue) are authentication attempts where in windows the service wired autoconfig is disabled. The last capture (Red) is this one when I try to authenticate with  wired autoconfig service enabled. But as you can see with the last capture there is never a result so never internet access.

This picture shows what a wireshark capture on the NPS sees with an authentication where no reject or access comes from.

Hopefully my question is somewhat clear.

Edit/add:
quick summary 
Windows 10 device, NO service wired autoconfig, NOT in domain, NO GPO = Guest VLAN

Windows 10 device,  service wired autoconfig, NOT in domain, NO GPO = Guest VLAN

Windows 10 device,  service wired autoconfig, NOT in domain, GPO = Guest VLAN 

Windows 10 device, service wired autoconfig, in domain, NO GPO= Assigned VLAN

Windows 10 device service wired autoconfig, in domain, GPO = Assigned VLAN

===================================================================================

Windows 11 device, NO service wired autoconfig, NOT in domain, NO GPO = Guest VLAN

Windows 11 device,  service wired autoconfig, NOT in domain, NO GPO = No internet (this is the situation external people have)

Windows 11 device,  service wired autoconfig, NOT in domain, GPO = Guest VLAN 

Windows 11 device, service wired autoconfig, in domain, NO GPO= No internet (situation never present)

Windows 11 device service wired autoconfig, in domain, GPO = Assigned VLAN

The no internet is caused by the credential guard that is standard enabled on windows 11 pc's but on external people's i can't change that. Is there an other solution?