I cannot find anything in the ISE user manual that describes the behaviour when a client fails authentication after a number of failed authentications,. Lab trials are somewhat inconclusive!

Eg After 3 failed logins during a rolling 30 minute window I want client to be excluded for 30 mins before he can try again.

Policy > Policy Elements > Results shows:

Allow EAP-MS-CHAPv2: Retry Attempts—"Specifies how many times Cisco ISE requests user credentials before returning login failure". Valid values are 1 to 3.'

What governs the window, time recovery and where can I see an excluded client that has failed this way?