Hello @faruk.zaimovic 

MAB is typically used as a fallback mechanism for devices that do not support 802.1X, like printers or IP phones. However, when you see a Windows machine, which should be using 802.1X, attempting MAB first, it suggests that the initial 802.1X authentication attempt failed or did not occur as expected. After the MAB attempt fails, the machine eventually tries 802.1X again and succeeds with EAP-TLS, indicating that the machine is capable of authenticating correctly but might be encountering initial connectivity issues or delays in starting the 802.1X process.

If there are network connectivity issues or if the port is flapping (constantly going up and down), it might cause the Windows machine to revert to MAB as it temporarily loses network connectivity or doesn’t complete the 802.1X authentication in time.

Also, there might be a delay in the 802.1X supplicant starting up or attempting to authenticate after the network interface becomes active. This delay could cause the switch to fall back to MAB...

If there is a problem with the certificate or the configuration of the EAP-TLS profile on the machine, it could cause the initial 802.1X attempt to fail, leading to MAB. Once the issue is resolved (like a delay in accessing the certificate store), the 802.1X authentication could succeed.

Since you didn’t find relevant information in the event logs, consider enabling detailed logging for the Windows 802.1X supplicant. This might give more insight into why the initial 802.1X attempt fails or is delayed. Review the ISE authentication logs for any patterns or specific errors associated with these events. Check the policies in ISE to ensure they are correctly configured to handle both 802.1X and MAB, and that the fallback behavior is appropriate.