RT-5OG-01#sh run int g5/0/1
Building configuration...

Current configuration : 868 bytes
!
interface GigabitEthernet5/0/1
switchport access vlan 2999
switchport mode access
switchport voice vlan 2010
device-tracking attach-policy IPDT_POLICY
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 2005
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 28800
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
auto qos trust dscp
spanning-tree portfast
service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
end

RT-5OG-01#sh access-session int g5/0/1
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi5/0/1 080f.e575.d500 mab DATA Auth 334263640000009476CE4404
Gi5/0/1 080f.e575.d501 N/A UNKNOWN Unauth 33426364000000B376F8E409
Gi5/0/1 40f4.9f29.1e80 N/A UNKNOWN Unauth 334263640000009376CE3D9C

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
11 5 dot1xSup
10 5 dot1x
14 10 webauth
12 15 mab

RT-5OG-01#

there is only one host connected to the port

IP Device Tracking (IPDT) actively generates and learns MAC addresses from the local infrastructure on access ports.
When MAB + multi-factor authentication is enabled, each learned MAC address equates to one authentication attempt.

Try disabling the interface tracking.

no device-tracking attach-policy IPDT_POLICY
no ip device tracking

thanks, but without device tracking i had an issue with cached authenticated session

access-session control-direction in will fix the problem with the physical mac, but not the base mac of the stack member 

The MAC address on the stack isn't a bug; it can simply reach the authentication state machine.

I see two options:

1. Configure multi-domain host mode (best practice)

authentication host-mode multi-domain

2. Keep multi-auth, so you need a local reject, not an ISE one.

authentication mab infrastructure-mac ignore (I don't know if this command is available in your version)

I would leave your configuration like this:

interface Gi5/0/1
switchport mode access
switchport access vlan 2999
switchport voice vlan 2010

authentication control-direction in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict

mab
dot1x pae authenticator

no device-tracking attach-policy IPDT_POLICY

spanning-tree portfast

6. By default, an 802.1X-enabled switch port accepts only one MAC address. Since the idea of open mode is to ensure that there is no disruption, enabling multi-auth host mode is recommended, which allows for one IP Phone an unlimited number of workstations/data_endpoints to authenticate on the interface.

   c9300-Sw(config-if)#authentication host-mode multi-auth

• Host modes–Four host modes can be configured on a port.

Multi-Auth (Current): Authenticates every MAC. This is why you see the client, the interface MAC, and the base MAC all trying to log in.

Multi-Domain (Recommended): Optimized for "IP Phone + PC." It allows one device per domain. Once your client (080f.e575.d500) hits the DATA domain, the switch stops trying to authenticate other "data" MACs on that port.

Let's try below :

conf t
interface GigabitEthernet5/0/1
 no authentication host-mode multi-auth
 authentication host-mode multi-domain

If single host, you can also try :

interface Gi5/0/1
 authentication host-mode single-host

Is this the only port with this issue, or is this configuration the same across all ports? Are any of them working as expected?

17.15.5 is the latest code; I have only tested 17.12.6 so far.

check wire and wireless deployment guide :

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

I use it this way and have never had any problems.

Well, I tried to help you, but it seems you already know everything. Good luck.

Maybe this will help you.

https://community.cisco.com/t5/security-knowledge-base/verify-ip-device-tracking-post-mab-configuration-on-switch/ta-p/5148985