Connect a Workgroup device on 802.1x Network with NPS

I have been working on a similar 802.1x wired networking test scenario in one of my Labs.  I have a Windows Server 2022 DC with AD Certificate Services & Network Policy Server.  Very vanilla / base installs with no hardening or specific configuration.  I am testing with a Juniper switch configured to authenticate a Standalone Windows laptop.  I was able to authenticate a domain joined system relatively easy.  I was receiving similar errors to what you were seeing for my standalone system.

Today, I literally made the breakthrough to get my standalone authenticated.  The combo was to issue a certificate with the <hostname>.domain.local in the CN and DNS SAN name.  On the AD Computer object, it was the "servicePrincipleName" of "HOST/<hostname>.domain.local . 

The other key was ensuring the client is configured properly.  Importing the CA and Client certificate.  Configuring the Authentication tab for PEAP, but in the advanced settings towards the bottom for authentication to make sure it said "SmartCard or other certificate".  Also to validate the server in both areas, and check the Domain CA.  

I also tested with just a HOSTNAME in the certificate and SPN and it seemed to work.  I hope to do some more testing in the next few days to test different adapters, switch configuratoins, policies etc in my test Lab.