I mentioned it earlier - it has to do with managing the session table on the managed switch - every NAC enabled interface will create a new session when a new MAC address is learned - if you don't put a time limit (session timeout) on a session, then the session will live forever - unless the interface link goes DOWN (device disconnected or port shut) - that clears the session. A switch reload also clears the session table.
The problem is that your managed switch has no knowledge that a device was unplugged on the dumb switch. How could it? Therefore you have to solve the issue of "stale sessions" differently. You set a timer (e.g. 18 hours countdown) from the time the MAC address is seen on the managed switch and the session is created. If in that time, the device is unplugged on the dumb switch, the session continues. If you were to check the MAC address table of the managed switch, you'd notice that the MAC address of the removed device will eventually disappear -but the session still lives. After session timeout has reached 0, the managed switch will notice that the MAC address is no longer there and will clear the sessions. On the other hand, if the MAC address was still there because device was still connected, then the managed switch would send a re-auth to ISE and that would reset the timer for another 18 hours - the data traffic is no affected by this (if you do the re-auth like I mentioned).
