You can try 2 things.  First, remove the dot1x timeout tx-period 10 command from the port.  That will reset the dot1x timeout back to 30 seconds with 2 retries for a total of 90 seconds.  With your command, dot1x fails over to MAB in 30 seconds.  It is possible that the PC has some software on it that takes a long time to boot before the network adapter and Wired AutoConfig service can fully start.  99% of the time, a timeout of 10 seconds with 2 retries is perfect, but there are also rare times where that timer needs to be tweaked higher or lower.

The other thing to try is to remove the default port ACL.  If you remove both of those and it still isn't working, then I would recommend some dot1x and Radius debugs on the switch to dig a little deeper.  I know you said you saw some dot1x attempts, but that could just be the switch requesting the identity of the endpoint but the switch isn't getting a response so it never sends the information to ISE.  You could also SPAN the port and capture the packets.  See if the PC is responding to the switch's EAP Request-Identity.

Also check the Event Viewer on the PC for any System events related to the network adapter or 802.1x.

We are having similar issues as well.

we use Windows 10, Dell laptops, Dell WD15 docking station and Avaya IP Phone.

From Wall jack cables goes to Avaya Phone, From Phone to Dock and PC is connected to Dock using USB-C.

Issue that we are seeing is randomly PC will stop authentication using dot1x (PEAP in our case) and will keep authentication using MAB and ISE will deny the MAB request as expected.

user have tried rebooting the laptops no luck,

we verified the Supplicant on the PC was running while issue was happening.

we have seen lot of post about USB-C docking station my cause problem with dot1x if they are not configure for MAC bypass. will send Dock mac address instead of PC mac address. But this is not the case in our situation we have verified that MAC address that we are seeing on ISE is the actual mac address of the PC not.

For the workaround we are telling user to go wireless, which works.

If user reboots the Avayaphone it works temporarily, then issue comes back again.

In some cases we had user bypass the phone and they have not seen the issue happen again.

In some cases we had user connect network cable to the PC instead of the docking station and this also seemed to have fix the problem as well.

At this point we are not sure whats causing the Problem Window 10, Avaya Phone or Docking Station.

As always network guy has to prove that nothing is wrong on the Cisco Switch side or Cisco ISE side.

below is the switchport configuration, we use default timers for dot1x, Cisco ISE configured to allow machine if its member of domain user group (PEAP)

Again this issue is not happening to all the users, its random.

description USER-VLAN
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 10
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action reinitialize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity server
mab
mls qos trust dscp
dot1x pae authenticator
auto qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input SWITCHPORT-ACCESS-POLICY