Sure things @Torbjørn , I have shared you in posting. 
First, we have low impact mode, IoT device we build profile and authentication through MAB. 
Then, when we commit the command of Closed mode, the switch port will be disconnected and no any MAC address learn on switch. 

There is impact only kindly of access door/UPS. 
Fortunately, printer/camera ... can work perfectly on closed mode.

It true not all device work good with close mode' some need low impact mode since it need to get IP and/or some info before it fully work and start send Frame which make SW learn it MAC.

MHM

Any workaround solution @MHM Cisco World and how to ensure the right product to support with closed mode?

Hi

When you enable closed mode on the interfaces used by access door/UPS devices, have you tried bouncing the port? Perhaps these devices aren't transmitting packets as regularly as your printers (that do pass MAB in closed mode0

hth

Andy

Hi @andrewswanson 
Just some of IoT device only.
We can not bounce the port once it disconnected status. 
If we bounce the port, the device will be resulted disconnected. 

Probably you already resolved this issue by now? one of the main differences between low-impact and closed mode is that with the low-impact mode you would have a default access list applied to the port where some traffic will be allowed. In closed mode anything will be denied on the switch port with the exception for EAPoL traffic until the authentication and authorization are completed. Another main difference in low-impact mode is that the traffic on the switch port will still be passing even if ISE returns an access reject and it will be subject to the switch port access list.

Now for the IoT or whichever dummy devices to start the authentication process they need to send at least one frame to the switch before the switch relay that info to ISE and based on the response back from ISE the authentication will be accepted or rejected. The devices do not need any IP addressing during this process, and the main detail that will be taken from the frame received from the devices to the switch port is their MAC addresses. Those MAC addresses will be used as their credentials for authentication and also authorization.

Assuming the authentication has passed, the authorization process would start, and the returned attributes from ISE will be applied to the port, whether to fully open the port or apply specific attributes.

This process should not change if the port is in low-impact or closed mode. As long as the IoT device sends a frame the switch will take it and relay it to ISE for authentication and subsequently for authorization. If the IoT device does not send any frame this whole process will not be triggered.

Rebouncing the port usually helps as the connected devices to the switch ports might send some frames, however, other devices might not. Also, some devices might send frames periodically which means that you would need to wait for some time before those devices start talking to the switch by sending some frames.

Were you getting anything on ISE logs for those devices?

Hi @Aref Alsouqi 

Not yet resolved, the issue when we unplug cable, this IoT device can't connect or even no MAC address detect on switch. 
Workaround solution just revert to low-impact mode to get device connected, then apply command closed mode one by one.

We don't accept this workaround solution, open with TAC they just capture the switch log but not solution yet.

Thanks for the update. What switch model and release are you running on this/these switches out of interest?