I have been troubleshooting massive issues in my ISE 1.2 lab, all of a sudden authentications are rather not working or taking a very long time. I originally thought that adding a new piece of switching equipment may have been the cause of the issue. At times my workstations and laptops could authenticate but most they time they couldn't, and mobile devices could never authenticate.
During some testing I joined one of my wireless networks that use a Test policy set that has hardly any rules in it, I noticed that there was no authentication issues when this policy set was used, but my production policy sets all had the same problem. I then went to review the logs for the MDM and noticed the ISE was not able to get client status off the MDM. I checked and the MDM and the ISE are no longer communicating as there seems to be an issue with the MDM. I changed all my policies to not do any MDM checks, and all my latency and authentication issues where fixed. For some reason if any rules within the policy set use the MDM or if you are hitting a policy that is lower down in the policy set after an MDM check, you will have massive issues with the authentication.
I hope this may help someone else who is hitting this issue and struggling; rather disable or remove MDM checks from your policies or get your MDM and ISE communication back up ASAP.
There is a bug on the cisco release notes that matches your description that was fixed in patch 3.
This fix addresses an issue where, with MDM authentication rules enabled, all RADIUS authentications fail after several successful runs with the following error message: 5436 RADIUS packet already in the process.
However there seems to be another bug related to MDM integration with patch 3 and 4 see below.
This bug looks like it is fixed in patch 6.
Thanks but i'm running patch 7, and the issue I am seeing is that my MDM has crashed and since the ISE is failing to talk to the MDM it is causing all other policies within the policy set have issues. I'm sure once the MDM is recovered I can add the MDM rules back into the policies. I did hit the other bugs you are talking about but this one seems a bit different.
Thanks for posting this issue. I am having a similar experience in ISE 1.3. I upgraded about a month ago and when MDM is turned on I start seeing the messages 5436 RADIUS packet already in the process and the WLC moves to the other PSN that I have. After turning the MDM off the PSN reporting the error 5436 RADIUS packet already in the process doesn't stop reporting it and has to be rebooted to clear the continuous stream of messages. I hope this gets corrected soon as the MDM integration is a vital tool for me.