Thanks for the response, Howon. I have seen the two Shoretel specific posts you referred to.

Here is more detail on our main issue:

We have Shoretel phone connected to 2960s switch.

Behind phone is Windows 10 PC.

Using dot1.x with cert for computer authentication and MAB for phone and printers.

Phone will have connectivity and service but PC will not have ethernet connectivity. Logs report dot1x and MAB are authorized, etc.

Only way to get PC on network is to remove the dot1.x/mab config from switchport.

Port interface configuration:

switchport access vlan 10
switchport mode access
switchport voice vlan 200
spanning-tree portfast

authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator

Are you saying the switch shows both Phone and PC authorized but only Phone is functional? Can you share the output of 'show authentication session interface Gig x/y/z detail'? Also, post the authentication details on the ISE for both the phone and the PC.

Yes, that is correct.

Here is the switchport output:

show authentication sessions int gigabitEthernet 2/0/37

Interface    MAC Address    Method  Domain  Status Fg Session ID

----------------------------------------------------------------------

Gi2/0/37     c434.6b6f.534b dot1x   DATA    Auth      0A1911130000015E194F292F

Within the ISE log I can see both the phone and PC successfully connecting.

Gi2/0/37     0010.491e.992c mab     VOICE   Auth      0A1911130000003700020106