We have deployed ISE 3.3 with Windows native supplicant for IEEE802.1X on endpoint.

Authenticator (NAD) is a Cisco 1000 Switch. The switch is configured using the IBNS 2.0 template.

The endpoint posture scan is using Cisco Secure Client 5.1

The authentication method used is EAP-TTLS (PAP) in Windows native supplicant.

We have an Unknown VLAN, Production VLAN, and Quarantine VLAN configured. Authorization profiles have been created for the Production and Quarantine VLANs. 

Initially, the machine is by default in Unknown VLAN, Users get authenticated using  EAP-TTLS (PAP)  via Windows native supplicant. A posture Scan happens, and based on the Posture Result, the machine gets Production VLAN OR Quarantine VLAN.

Save credential is configured on Windows native supplicant so user is not prompted for authentication once login on machine. 

This is working as expected on many machine. However we have observed that on certain machine user gets suddenly disconnected from Production VLAN and goes in Unknown VLAN. Ideally once user is authenticated and machine is authorised on switch port ISE does not play in role in further user machine communication.

It might happen due to Network Cable loose connection. But after removing cable and inserting back user is prompted for Windows native supplicant authentication prompt.

The query is if save credential is configured then after reinserting network cable it should directly go to production vlan correct ?

Or is it some switch timer in IBNS that force Windows native supplicant authentication prompt  ?