I am wondering what the best practice is for a control policy for the event "event inactivity-timeout-match-all" and what the differences are between using "clear-session" and "unauthorize".
The Command Reference for IOS XE gives an example for both "clear-session" and "unauthorize" used in the event " event inactivity-timeout match-all". The IBNS 2.0 Deployment Guide shows three examples of using unauthorize for "event inactivity-timeout-match-all".
Can you please explain the differences between clear-session and unauthorize and when I should use one over the other?
This is not exactly limited to ISE 2.x so best for you to consult the switch team.
This is mainly affecting devices behind an IP phone or similar. The usual practice is to clear the sessions so to allow the affected devices to initiate new sessions when they are back online. You might want to use unauthorize to not allow the endpoints to initiate new sessions without admin interventions.