Does logoff /login resolve?  Reboot resolve? Plug/unplug of device? Yes this does work.

User auth does not happen and then hits default rule to onboard.

Please take a look at the comment posted by edondurguti at How To: Universal IOS Switch Config for ISE.

Not a helpful post the below was used

How To: Universal 3850 Wired Class-based Policy Language (C3PL) Configuration for ISE

Hi

It seems the user disconnects from the port goes home and tomorrow morning when he plugs his PC back no authentication happens. For the moment looks like Windows 10 Machines.

It will be difficult to troubleshoot,especially with such limited info.

Still not clear what "onboard" exactly means whether simple connection to network or transition to BYOD flow. Many questions unanswered and the one that was answered about reboot/disconnect is later conflicted.  For example, you earlier state that unplug/plug of device works, but then say that user disconnect/reconnect may result in no auth. 

By saying "it looks like Windows 10 machines", does that mean all other Windows clients are working as expected?

When user disconnects, does switch properly reflect auth status via 'show auth status int <interface>'?   Is session cleared at switch?  Does ISE considered session still connected?  Again, if connecting to intermediate phone switch, then that too can complicate signals to switch.

You can also try responses to Windows 10 connectivity such as following: https://social.technet.microsoft.com/Forums/en-US/bc0a05a4-c62d-41a2-9ea3-79b589829a7e/windows-10-8021x-wired-authentication-issue?forum=win10itpronetworking

Hi Thanks for the reply

Below link tried still an issue.

You can also try responses to Windows 10 connectivity such as following: https://social.technet.microsoft.com/Forums/en-US/bc0a05a4-c62d-41a2-9ea3-79b589829a7e/windows-10-8021x-wired-authentication-issue?forum=win10itpronetworking

I am looking for assistance on the c3pl configuration rather than looking at the Machine issue now. I might have left some stuff out from the normal way of configuration.

Here is the updated C3PL configuration. I need verification that the below is either good or need some adjustments.

policy-map type control subscriber ISE-PORTS-Configuration

event session-started match-all

  10 class always do-all

   10 authenticate using dot1x priority 10

   20 authenticate using mab priority 20

event authentication-failure match-all

  5 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

   30 authentication-restart 30

  10 class AAA-DOWN do-all

   10 authorize

   20 activate service-template CRITICAL

   30 terminate dot1x

   40 terminate mab

  20 class DOT1X-FAILED do-all

   10 authenticate using mab

   20 authentication-restart 30

  40 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authentication-restart 60

event agent-found match-all

  10 class always do-all

   10 authenticate using dot1x

   20 authenticate using dot1x retries 2 retry-time 0 priority 10

event authentication-success match-all

  10 class always do-until-failure

   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

event violation match-all

  10 class always do-all

   10 restrict

authentication periodic

authentication timer reauthenticate server

access-session host-mode multi-domain

access-session control-direction in

access-session port-control auto

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

service-policy type control subscriber ISE-PORTS-Configuration