Windows 11 Enterprise, Version 22H2, OS Build 22621.189

Provide more information about you connecting Windows to your network:

• network type: wired or wireless?
• authentication type: MAB, user authentication, machine authentication?
• credentials: pre-shared key, username+password, digital certificate?
• Share live logs on ISE.
• the error message screen is showing on windows.

Could you try to update LAN Drivers to the latest one?

Wired

User and Machine Authentication

Digital Certificate, username+Password

In Windows11, Action Required Signin Pops up, after clicking on signin , it tries to reauthenticate. and fails again and again.

Check the windows 11 wired configuration setting with the below article.

https://learn.microsoft.com/en-us/mem/intune/configuration/wired-network-settings-windows/

The device you tried to connect, is already connected with your domain environment or the first time you tried with this one?

check if there is any rule that checks the end pint OS version.

I can confirm that there is no general issue using Win11 version 22H2 with 802.1x EAP-TLS and Cisco ISE 3.1. I tested the same using my Surface Pro and the following scenario.

• Wired
• Windows native supplicant configured for EAP-TLS with 'User or Computer' authentication
• Both Computer and User certificates installed issued by the same internal CA that signed the ISE EAP certificate
• Internal CA root chain installed in both the Computer and User certificate store
• Supplicant configured to use certificate matching based on the internal Issuing CA

With the above setup, both the Computer and User sessions are authenticated/authorised as expected based on my AuthC/AuthZ Policies.

Example live logs:

Some suspicious points in the details provided earlier in this thread:

1. It was mentioned that the authentication uses "Digital Certificate, username+Password". This is not possible; with EAP-TLS, authentication is done using the certificate attribute (e.g. Subject Common Name) as the identity based on how you have configured your Certificate Authentication Profile in ISE. It is not possible to use Username/Password with EAP-TLS. For Username/Password auth, you would need to use PEAP(MSCHAPv2).
2. The comment "Action Required Signin Pops up" would indicate that something is either not configured properly in the supplicant, there are multiple certificates in the User store and the supplicant does not know which to use for 802.1x, or the supplicant is not finding a certificate that is valid for EAP-TLS.

For the latter, you should confirm that the User certificate meets the requirements for EAP-TLS based on the information here:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap

If you have multiple certificates in the Computer and/or User store, you should use the certificate matching option in the supplicant to define the Issuing CA for the certificate you want the supplicant to present for 802.1x. This is found in the Advanced option in the main Properties window. You should also ensure that your internal CA is selected in the Trusted Root Certificate Authorities section.

Example:

Thanks for detailed reply.

One thing which i noticed in your settings is that you are not connecting to any server to verify server's identity. But we are using.

Regarding Suspicious points I want to clarify,

1. Digital Certificates are being used for authentication. Username Password is for user login to machine.

2. I am attaching herewith settings of LAN Card

I thought I was having a similar problem.  Turns out Win10 and Win11 handle conflicting GPOs with multiple wireless profiles differently.  I was getting "action required" only on Win11.  Using rsop.msc, I determined that there was an empty wireless profile from a GPO that shouldn't have had a wireless profile.  There wasn't even an SSID name defined.  The empty wireless profile was #1 and my desired wireless profile was #2.  What was interesting is that Win10 somehow was seeing that wireless profile #2 for "server verification" (ISE pki cert) and when manually clicking the SSID I would not get a action required message.  Win11 when manually clicking the SSID, I would get the action required message.  What the heck.  Once I deleted the completely empty wireless profile, my desired 802.1x GPO wireless profile started working for the first time ever. I had to adjust a few things on the fly to not take down the company, such as profile name matching the SSID name, and cert selection (not server verification CA checkboxes) to checkbox the appropriate CA.  No more clicking the SSID manually to connect.