Yes, I'm using this method now and you enlighten me to create a new purge policy to auto clear the MAC address. Thanks.

The problem is that if a particular user never logged on to a specific machine, there are no cached credentials and the machine would have to connect to a domain controller to authenticate the user.  If the user cannot logon the machine, then the user credentials would never be presented by the supplicant.  So trying to do user authentication for 802.1x would not work in this scenario.  You have to authenticate the machine first to provide some access to the domain controllers.  But as the original post stated, there are situations when the machines somehow get removed from the domain.  In that case, your only option would be to authenticate the machine using a certificate that is already on the machine or use MAB and a whitelist group.  As I stated previously, I recommend having MAB enabled with 802.1x using FlexAuth and then use a "Workstation Repair" whitelist in ISE to handle these types of situations.  802.1x is not going to work perfectly in all cases, so give yourself and the Service Desk a way to allow access temporarily for resolving supplicant issues.

IMO I agree with the statement of using flexauth so that when those hosts fail 8021x, it terminates, and goes to mab. I think you have a variety of options. As far as the comment on having a default policy that allows restricted access there are some security concerns. One concern in my mind is that if anyone rogue plugs into a NAD they default to a restricted area that allow them to access important servers that provided certain services that aide in getting a machine up-to-snuff on your domain could cause issues. Many may argue that from a security in depth viewpoint there are other mechanisms that may deter that concern I mentioned such as building access, lab access, server firewall, etc. Anyways, you could use a type of portal that registers them with some sort of approval that then adds the mac to a mab group. Then as mentioned already you could purge that group every few days. I think an issue with that is the required manual intervention of approving registrations. Regardless though you will still require manual intervention if you determine that the best method is to enable mab and add endpoints to it without profiling. I would maybe look into types of profiling attributes that you may be able to leverage to assist in automating your concern/s. Something else to consider is if you use mab with manually adding MACs you may want to look into leveraging bulk adds or simply adds via REST apis. Not sure how big your environment is, but that could help. Good luck & HTH!

@Mike.Cifelli your register your MAC for access is what we do at cisco on the wired. you can't do anything without the machine being approved to a certain set of rules. We use ISE API and also SGTs to put correct ACLs on the session.