The auth profile is simly set to permit access. The auth policy currently looks like that:

Under condition we're using predefined set of Wired_802.1X, source sequence contains AD lookup + internal identity store. Allowed protocols contain several like EAP-TLS and PEAP MSCHAPv2 but also EAP-FAST (with inner MSCHAPv2, EAP-GTC and EAP-TLS). Use PACs is enabled with anonymous and authenticated in-band PAC provisioning.

According to the hit counter you can see it is/was working several times but not for the specific AP mentioned in the earlier attached debug info. Several others are not working either.

Hello, 

That is the Authentication profile. I am interested in what your Authorization profile (Result) looks like.

Thanks!

The result is the standard permit access.

Do you have a Pre-auth ACL on the switch ports? Or is this only in monitor mode?

Don't know if pre-auth ACL are set, I only know pre-auth ACLs for web authentictaion at our guest wifi. Is there maybe the supplicant wrong on these APs?

PAC provisioned is not authentication.  When you are using EAP-FAST the client will first connect to ISE to do PAC provisioning then it will authenticate.  So the AP is only doing the first part.   You should see a Dot1x authentication attempt closely following the PAC provisioning. 

Also if the step data you posted is from the actual authentication and not the PAC provisioning log entry it looks like you are passing authentication but failing authorization.  I see an authentication succeeded, but the selected authorization profile is blank.

22037 Authentication Passed

15036 Evaluating Authorization Policy

15016 Selected Authorization Profile -

11401 Prepared RADIUS Access-Reject after the successful in-band PAC provisioning

I just restarted one AP to watch the behavoir. PAC suceeded but no authentication session followed.

Is it normal that it got rejected at the end of the PAC prov:

Honestly I don't know how to proceed.

New finding, I recognized that only access points with trunk ports and wlan-vlan mapping are not working properly but only on IOS XE. Got some ISE 3750v2 with IOS 15.0.2SEx, using same static trunk port config for APs where authentication works as expected.

Port config looks like this:

switchport trunk native vlan 2
 switchport trunk allowed vlan 2,100
 switchport mode trunk
 device-tracking
 authentication host-mode multi-host
 authentication open
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast trunk
 spanning-tree bpduguard enable

Auth open ofc as it is not working atm. VLAN 2 is the standard 'client' VLAN used for the internal ssid while 100 is for voice.

Any clue?  While researching I stumbled over the following article:https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html

Do I have to go for NEAT? Or can we get it working with static port config?