Hello Tutu,
It seems that authorization conditions are not matching as expected.
You might be using host/machine-name as a condition which won't work when authenticating with certificates.
It is expected for EAP-TLS to have the username as host/anonymous since the identity is not yet protected.
I would suggest using the certificate attributes instead and hopefully, that should resolve the issue.
If you are still facing the issue, I would request you to post in the below community channel:
https://community.cisco.com/t5/network-access-control/bd-p/discussions-network-access-control
Cheers,
Pratham