Cisco ISE 2.1 introduced support to do on-boarding for Chromebooks, however, as you may already know, there are two things you need to provision to a device that goes through the on-boarding process, that is:
-Native supplicant provisioning, which is basically the wireless settings like SSID, EAP type, etc.
While doing a deployment I just realized that on Chromebook devices, you can only perform certificate provisioning. Native supplicant provisioning is done via the Google Admin Console, ISE can't do this, if you take a look at the menu, you will see NSP profiles for all OS but Chromebooks.
So if you want to do EAP-TLS for Chromebooks, you will only be able to install the certificate, but the wireless configuration has to be done via Google Admin console anyway.
Most customers look for a very easy to follow process to do this, so the best shot at this point is to do everything through Google Admin console and use PEAP authentication.
I also realized that if you want to do EAP-TLS by configuring a profile via Google Admin Console, you will not get prompted to choose a personal certificate, instead Google will ask for a URL where the device can get a certificate from, similar to what Cisco used to do with ISE back in the day, with version 1, which is not very easy to configure, specially because you need to make some changes in your internal CA.
That is why I keep saying that for Chromebooks, the best shot is PEAP authentication and on-boarding with Google Admin console. Not that EAP-TLS does not work, it is not just as easy as most people want.
EAP-TLS for iOS, Windows, MACOS and Android is still something easy to do via the conventional ISE onboarding process.