We are using a Meraki Wireless network, we have rolled out ISE to authenticate the users.
We have a tired structure if the machine and user cert are on then the user has full access. If they only have valid AD credentials they get a BYOD type access.
What we are experiencing are devices that connect with full access and then randomly throughout the day re-auth as only BYOD.
When the machine first boots it validates the machine and user cert, throughout the day when it re-auths it is only able to see the user so it gives the lower access.