Do you have Anyconnect attempting to establish the connection before the user logs in? If so, I believe there would be no username associated so the machine would attempt to log in with it's own machine account instead of waiting for the user login.

ISE 2.0 is out as of 15 Oct 2015. It looks a bit better, and does support TACACS, if you buy the license for it (which apparently doesn't have a SKU for purchase yet).From the ISE handbook:“Cisco ISE requires a Device Administration license to use th...

Sounds like your PoE injector/switch isn't capable of providing enough power for the radios to be on full tilt. Do you have a 12v power supply that is sufficient for the AP? If so, I would boot from that and then turn down the channel widths on your ...