Cisco ISE AD Domain Authentication on a Mac Laptop

The TL;DR: Deployed Cisco ISE to a site with mostely MAC laptops. Users cannot log into there machines or the network immediately. And have to jump through hoops to authenticate on the network properly.

---

So here's a weird question. One that I'm not sure is even right for /r/networking. But I figured it couldn't hurt to ask here.

We deployed Cisco ISE at one of our more remote branches. However our users aren't able to authenticate with the domain properly. Below are the symptons users run into:

1. User enters there AD username and password. As well as the dot1x network.
2. The laptop acts as if they were not authenticated properly. Shaking at the password screen.
3. User hits enter again at the login screen (or retypes there password thinking they entered it incorrectly).
4. The user is logged in. But is thrown onto the guest network.

The 2 ways users resolve this issue:

1. The user goes into system preferences -> network -> selects the wired network in the network preferences screen -> disconnects from the network -> selects the connect button -> is prompted for network username and password -> enter credentials in a 3rd time -> are on the corporate network.

2. At the login screen, after entering the username/password/network the first time and being told there account password was incorrect the user selects "none" for network. They hit enter again. They are logged into the computer with a corporate IP address.

The issue seems to revolve around the state of the machine itself. After entering there username and password, they'll be authenticated on the network. But not move onto the next stage -> logging them into there machines. There could be multiple reasons why this is and we've been working to narrow down the reason why this could be it. So far, here's what we've confirmed:

1. The issue only affects Apple MAC devices (99% of our users). We've tested Windows machines and they work without fail. But MAC devices, regardless of version, fail.
2. EAP-TLS works without issue. Confirmed with packet tracer, and the fact it will authenticate the user on the network.
3. Confirmed all machines - laptops/desktops, ise, switches - can reach the domain controller and ISE itself.
4. ISE see's the user as successfully logged into the network on the 1st attempt. After the 2nd attempt it shows a failed attempt. This is because of the user's accounting authenticating within ISE successfully the first time around. But failing when the user re-attempts to authenticate with the network.
5. Have moved multiple machines between multiple reports accross rooms and buildings. So, for better or worse, the issue is at least consistant.

Key facts:

• ISE version 2.3
• All but 2 machines are MAC laptops and desktops (the all-in-ones).
• All MAC laptops and desktops only connect to the network over a wired connection. AWe even outright disabled the wireless nic on the machines
• The users accounts are Windows AD accounts.
• ISE is the radius server facilitating network authentication between the user and the network itself (felt it needed to be stated).
• For what it's worth, we use JAMF to generate supplicants.

There's a lot more to this issue than meets the eye. And I've only scratched the surface on everything we've tried. If anyone has any thoughts or suggestions I would greatly appreciate it.