If the following are true…
- Windows 7 connects to 802.1X enabled network
- EAP method has something to do with TLS (PEAP, EAP-TLS…)
- Server certificate’s subject field is empty
…then Windows 7 will refuse to connect with useless error messages. You’ll just have to know that Windows 7 doesn’t accept server certificate with empty subject. Some Certificate Services templates (Kerberos Authentication) keep subject empty by default so watch out if you have NPS on DC for example. Windows 8.1+ will work fine.
There’s little information about it online and the issue is quite hard to track down.