Yes. Not all of the devices effected are profiled, but they are placed in a vlan based on the ID Group or Logical Group the endpoint belongs to. Below is an auth report for a device tested yesterday. I can't show the auth session at the moment since it is working manually tagged, but should be able to get it in 30 mins or so.

Steps
      11001     Received RADIUS Access-Request
      11017     RADIUS created a new session
      11027     Detected Host Lookup UseCase (Service-Type = Call Check (10))
      15049     Evaluating Policy Group
      15008     Evaluating Service Selection Policy
      15048     Queried PIP - Normalised Radius.RadiusFlowType
      15048     Queried PIP - Radius.User-Name
      15048     Queried PIP - Radius.NAS-Port-Type
      15048     Queried PIP - Airespace.Airespace-Wlan-Id
      15041     Evaluating Identity Policy
      22072     Selected identity source sequence - Wired_MAB_ID_Sequence
      15013     Selected Identity Source - Internal Endpoints
      24209     Looking up Endpoint in Internal Endpoints IDStore - --
      24211     Found Endpoint in Internal Endpoints IDStore
      22037     Authentication Passed
      24715     ISE has not confirmed locally previous successful machine authentication for user in Active Directory
      15036     Evaluating Authorization Policy
      15048     Queried PIP - EndPoints.LogicalProfile
      15016     Selected Authorization Profile - PolicyResult_VLAN510
      11002     Returned RADIUS Access-Accept
    
    
    
    
    
Overview
Event     5200 Authentication succeeded
Username     -
Endpoint Id     -
Endpoint Profile     VOICE
Authentication Policy    CH-Wired MAB >> Default
Authorization Policy    CH-Wired MAB >> Wired VOICE
Authorization Result    PolicyResult_VLAN510

Authentication Details
Source Timestamp      2018-08-14 15:52:29.648
Received Timestamp      2018-08-14 15:52:29.649
Policy Server      psn1
Event     5200 Authentication succeeded
Username      -
User Type      Host
Endpoint Id      -
Calling Station Id      -
Endpoint Profile      VOICE
Authentication Identity Store      Internal Endpoints
Identity Group      VOICE
Audit Session Id      0000000000002E94DB2ACCFA
Authentication Method      mab
Authentication Protocol      Lookup
Service Type      Call Check
Network Device      -
Device Type      All Device Types#3850
Location      All Locations
NAS IPv4 Address      -
NAS Port Id      GigabitEthernet4/0/35
NAS Port Type      Ethernet
Authorization Profile      PolicyResult_VLAN510
Response Time      10 milliseconds

Other Attributes
ConfigVersionId     1807
DestinationPort     1812
Protocol     Radius
NAS-Port     50435
Framed-MTU     1500
OriginalUserName     0060b9b2f19f
NetworkDeviceProfileId     b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow     false
AcsSessionID     -PSN1/313289931/3518065
UseCase     Host Lookup
SelectedAuthenticationIdentityStores     Internal Endpoints
AuthenticationStatus     AuthenticationPassed
IdentityPolicyMatchedRule     Default
AuthorizationPolicyMatchedRule     Wired VOICE
CPMSessionID     0000000000002E94DB2ACCFA
EndPointMACAddress     -
ISEPolicySetName     CH-Wired MAB
IdentitySelectionMatchedRule     Default
DTLSSupport     Unknown
HostIdentityGroup     Endpoint Identity Groups:Profiled:VOICE
Model Name     WS-C3850-48P
Software Version     03.07.02E
Network Device Profile     Cisco
Location     Location#All Locations
Device Type     Device Type#All Device Types#3850
IPSEC     IPSEC#Is IPSEC Device#No
Name     Endpoint Identity Groups:Profiled:VOICE
RADIUS Username     -
Device IP Address     -
Called-Station-ID     -
CiscoAVPair      service-type=Call Check,
audit-session-id=0000000000002E94DB2ACCFA,
method=mab

Result
UserName     -
User-Name     -
State     ReauthSession:0000000000002E94DB2ACCFA
Class     CACS:0000000000002E94DB2ACCFA:PSN1/313289931/3518065
Tunnel-Type     (tag=1) VLAN
Tunnel-Medium-Type     (tag=1) 802
Tunnel-Private-Group-ID     (tag=1) 510
cisco-av-pair     device-traffic-class=voice
cisco-av-pair     profile-name=VOICE
LicenseTypes     Base and Plus license consumed

Session Events
2018-08-14 15:53:04.268     RADIUS Accounting stop request
2018-08-14 15:52:32.446     RADIUS Accounting watchdog update
2018-08-14 15:52:29.684     RADIUS Accounting start request
2018-08-14 15:52:29.649     Authentication succeeded

Attached is a screenshot of the authentication session on the switch. I've fuzzed out the IP, but it does show a valid IP but as long as mab is enabled on the port it is not reachable.

Are you in open mode on the switchport and allowing DHCP?  If you are doing legacy ISE template on the switch and have your order set to "dot1x mab" you can't do a VLAN move typically for DHCP devices.  The device will get an IP on the original VLAN, ISE tells switch to move the VLAN and the device is now stranded with an IP on the wrong VLAN. 

I usually highly discourage VLAN moves unless you are doing closed mode or the device has a static IP.

Thanks for the reply Paul.

These devices have either static or DHCP reserved IPs. This one in particular is static both on the device and in our IPAM. It's not changing IPs at all, nor in this case is it changing VLANs. If I tag the port as access for vlan 510 it works. If I set MAB on the port it doesn't. It shows up and the device shows an IP in the arp table (which honestly may be populated from before MAB was set).

I'm not familiar with what constitutes a "legacy ISE template". Below is the interface config for MAB:

 switchport mode access
 switchport voice vlan 510
 logging event spanning-tree
 authentication host-mode multi-auth
 authentication port-control auto
 mab
 spanning-tree portfast

This works for upwards of 99% of our devices, there are just a few that are quirky. Some I've had to manually tag the interface and get an IP for, then add MAB and shut/no shut the interface to get them up. Again, these never fail authentication.

Fair question. We are trying to make the interface configuration as generic as possible and as such try to use the same one for each MAB port. The majority of our workstations and kiosks connect through a hub (or switch I think) on the phones. The phones have a voice vlan and the workstations are in a different one. Since we're multi-auth my understanding is that we need to call out the voice vlan.

If that is the problem, I don't mind taking it off for these interfaces.