Hi, 
could you please help triage this issue ?

+kevin/sameer, can you evaluate/route as needed?

Aashutosh - any chance you have a suitable setup that shows the problem right now?  Looks like this is using a special provisioning flow based around Windows infrastructure (which I have not used).

@ceernekee- For testing, EAP-TLS authentication, we use Freeradius server. Nothing with windows infrastructure. 

I am seeing a different issue, where clicking on 801.1x network on regular(non-enterprise) device does not show "Get new certificate" popup. (Will open a different issue to track it) 

The "get new certificate" prompts are probably related to enterprise policy.  IIRC when I've configured 802.1x by hand (in order to use a FreeRADIUS setup like yours), I couldn't even save the new network configuration until I had a cert installed.

My earlier comment was not very clear. I wanted to mention that device itself was not enterprise enrolled but I logged in enterprise user. 
Yes, that is right, we need certificates before adding the EAP-TLS network manually. 

any news on this issue? We have another customer reporting this issue 

c#8 - if you have a repro case, ping me on Hangouts and I'll take a look.

hi Kevin, as discussed we have check the details of a setup with the customer:

"We have a Cisco network. We have Cisco ISE 1.4 installed and that allows us to authenticate via certificate. Our certificate server is MS certificate server. 

Here is how we configured the network on the OU. 
Drive link image 1: https://drive.google.com/open?id=15w3jAjtsCO020qv92uYsAIXT4aRa1uw-
Drive link image 2: https://drive.google.com/open?id=1Dk2I0oYDRuTye_PlUfbdYIRJtIuh__uD

Client EnrollmentURL = chrome-extension://fhndealchbngfhdoncgcokameljahhog/html/request_certificate.html 

The certificate gets created but it does not automatically get set or changed for the login. The end-user would have to change it. " 

Is this reproducible with Google-A. IIRC, Google-A uses a similar network config.

This issue was not reproduced with Google-A.  However, I could reproduce the issue with CrOS_WPA2_LinksysE3000N_5GHz network in M64.0.3282.24 10176.13.1 dev Minnie.

On Cpanel, my network setting has Issued To/OrganizationalUnit(OU) field value  "ChromeOS" which is matches the standard client certificate downloaded from the Radius server.

However, when the client certificate is manually generated from the Radius and installed on device, the field I saw was "<Not Part of Certificate>".

The mismatch prompted the certificate not installed error when I tried to connect to the network.

But, when I followed the step in this bug and tried to connect from within the Configure dialog, the network was connected successfully; and not from direct connection.

Screenshots:
https://drive.google.com/open?id=1TZmOcNgHV8ZjEZAP-e-nyApATD_Z-QhQ

@vkasatkin, according to @jingwee's findings:
could we check if the Issuer pattern and the Subject pattern(specifically OrganizationalUnit/OU) pattern set in the CPanel/ONC policy

matches 

the Issued to and Issued by fields of the certificate generated on the device. (can check this in chrome://settings/certificates, click on the corresponding client certificate  and View Details) 

we still waiting for customer's feedback re #13. I will update this bug once we have any news 

Unfortunately customer never got back to us on question in comment #13  
I am archiving this bug for now, will reopen in case of any news/updates