Hi Paul
i'm not sure why concurrent adds extra authC/Z to ISE, because with those sequential the total number remains roughly the same but just dispersed in time (because both MAB & DOT1X are presented on intf & DOT1X usually configured to be attempted 1st often w/o quick answer preventing from MAB to be tried).
Here is another Q "why ISE has to be confused by 2 simultaneous DOT1X & MAB from the e/p?". ISE does quite predicted work in background which being drilled down shouldnt expose something preventing from the 2 sessions to be treated independently, isnt it? I would suggest that concurrent DOT1X & MAB from e/p could confuse ISE with some practical reason (like having 2 different -MAB&DOT1X - authenC/Zs to be assigned the same session ID for whatever reasons, f.e.).
But seems like actual reason will remain undiscovered for community :0)

If you are running true concurrent MAB and Dot1x you will have a MAB transaction in ISE for every Dot1x guaranteed.  Remember what triggers a session start is the switch learning a MAC address into its table.  As soon as it learns the MAC address it fires off a MAB request to ISE and at the same time sends out an EAPol start to the device.  ISE will process the MAB request.  If the system responds to the EAPol start the switch side will terminate MAB, but ISE has already processed the MAB request.  If you watch the ISE logs you will see a MAB entry in the log followed by a Dot1x entry a few 100ms later typically.  This assumes the machine is online when it is plugged in.  If the machine is booting up the MAB And Dot1x entries will be spaced a little farther apart.

i've noticed the CPM/Audit session ID is the same for MAB & DOT1X for e/p. In my case they r separated with ~10 sec.
by the way could u pls advice on event <name> match-first keyword?
manual states:
"match-first (Optional) Evaluates only the first control class."
but having event with many classes defined it wouldn't make any sense.
should we read it "evaluates classes in sequence until 1st matches" instead?

also about event agent-not-found ("The agent for the authentication method was not detected"):
does it trigger with regard to MAB when port comes UP but no MAC is visible for whatever reason?
also does agent-found ("Agent for authentication method is successfully detected") triggers similarly when MAC is learned on port?

Agent found/not found is 802.1x supplicant detection.

 

If you are doing true concurrent MAB/802.1x your session start would look like this:

 

event session-started match-all
10 class always do-all
  10 authenticate using dot1x priority 10
  20 authenticate using mab priority 20

 

This will result in MAB records in ISE for each 802.1x record.

tnx Paul,
it's well known clause from IBNS20 DG. Could u pls help with below? it's really totally undiscoverable from CCO. May be u have better knowledge because of your deep experience?
by the way could u pls advice on event <name> match-first keyword?
manual states:
"match-first (Optional) Evaluates only the first control class."
but having event with many classes defined it wouldn't make any sense.
should we read it "evaluates classes in sequence until 1st matches" instead?

also about event agent-not-found ("The agent for the authentication method was not detected"):
does it trigger with regard to MAB when port comes UP but no MAC is visible for whatever reason?
also does agent-found ("Agent for authentication method is successfully detected") triggers similarly when MAC is learned on port?