Hi,
Fyi, I faced the issue on an IE3300 v17.10.1 as well..
As a "workaround", I reduced the DACL in ISE to 1 statement (permit ip any 10.0.0.0 in my case), cleared the access-session on the switch, endpoint got authorized properly.
Then, I went back in ISE, put the full DACL back in, cleared the access-session once more on the switch and the endpoind stayed authorized.
~Alex