Thank Mike for your answer.
1. The customer is not doing TrustSec (my bad for misleading you when I mentioned that under the FMC, thanks to pxGrid, we were seeing attributes from ISE. The only attribute that populates through pxGrid is Device Type, since TrustSec hasn't been turned on).
2. Blocking at the firewall would not be the solution to stop non-authenticated endpoint from leaving the Network. We need to have a way to find out : is endpoint authenticated? [another frustrating point at that customer is that the entire network endpoints (IP Phones, printers, workstations) are all on the same 10.0.0.0/16 network (don't ask me why!!!)].
Remember the requirement of my original question:
A. Endpoints are all MAB, (not 1x)
B. The customer is not using pre-AuthC ACLs on switchport!!! So, the moment the command authentication open is added, the traffic starts going through the port. That traffic could find its way to the edge firewall and leave for the internet. Thus, it would be nice if NGFW could query ISE with "is device authenticated".
My personal opinion is that the customer needs to implement more features of 1X/MAB to fix this issue. The piece meal approach is not working here.
Thanks anyway. Consider this case close.