One option you can use with Flex APs is the "authentication host-mode multi-host". In this scenario only the first MAC address on the port (the AP) will be authenticated, all other MAC addresses (your flex clients) will not be subject to authentication. The controller should be authenticating the flex wireless clients, not the switch.
There is no specific, "built-in" support in ISE for Flex APs. As with any other devices that connect to the switch ports, there are several options to make them work on the network or to block them
Have a look at this document from Cisco, it goes through potential solutions to your issue.
It was discussed before:
Doesn't seem to work as intended.