I think jan is right, choose EAP-TLS or PEAP, not both.
However your rule is failing on the WasMachineAuthenticated attribute. This is not a very good feature and pretty much fails when using more than one PSN. The problem being machine authc happen...
you have to import the CA as a trusted cert.
When you create your Authz rule you should have some identifying info from that specific cert chain ie.CN ends with "mydomain.com"
Just make sure you correctly setup ISE to go and get the CRL from your CA...
I was going to suggest something similar.
Had a customer whose switch was doing something similar. Turned out the 2960 (I dont remember which iOS version, 12.2 possibly) needed the switchport command and then authentications were fine.
I missed the ...
So I have an HP DL360 G5 that has 2 nics and runs ESXi.
I have one NIC trunked and used for different server vlans.
I have one NIC on an access vlan that is protected by dot1x.
I have dot1x on the port for the access vlan and that does auths as if it...