I am ,agree with @Jason Kunst  are you sure that PC authenticate with MAB are with updated GPO . In my deployment i have same ,but this is not problem of ISE ,when the PC try DOT1X and it fail it start MAB this is normal because it not match all criteria by dot1x. Some of my Domain PC was not with updated GPO and always fail after gpupdate /force  and restart the machine all is ok. And 1 more thing when a windows machine go to sleep or hibernate always make MAB this is the thing what i see in my deployment ,and as i told above this is not problem of ISE it is the problem of endpoints .

Moreover, sometimes PCs can authenticate because I see in the live logs that they send their mac-address as identity instead of Domain Computer name. Can it be also related to GPO or PC?

IT can be 2 things: 1 Not updated group policy 2 Not started WLAN AUTOCONFIG SERVICE or WIRED AUTOCONFIG service

But all of these are configurable by GPO by your Domain admin. And as i wrote before all Windows sleep machines will be authenticated by MAB .In my deployment we set machines not going to sleep or hibernate .

No, in my case it is not because of sleep. all PCs are open. I have checked all GPOs 1 was for Anyconnect mobile client, another for Anyconnect configuration xml and last one for certificate. All are okay and same among all computers. However some computers cannot authenticate using dot1x and trying mab and fail. I am posting debug output.

Hi what kind of switch is that this debug is a little strange for me its not like a cisco switch

Thank you for your response. I will check the solutions provided. One more problem i face is a bit different. I check computer and see that certificates and Anyconnect configuration xml files are installed by GPO. However some PCs cannot authenticate and ISE gives this log:

12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

What can be cause of this error?