Hi, Could you explain a little more about this please? 

So the switch uses PAP for username and password? -But it's the PC that is authenticating? 

How do I change the behavior of the switch? or where would I change the host lookup option?

thanks

sure friend 
I am here to help other 
check this 
Solved: ISE MAB Host Lookup - PAP or EAP-MD5 - Cisco Community

Thanks. The thing is though, I don't want the authentication to fall back to MAB. I want the user to use the certificate from the machine to authenticate against ISE.

I have a Machine certificate (which is working correctly) and I have a user certificate.

share the config of SW port

MHM

The switchport config is:

int g1/0/23

switchport access vlan xx

switchport mode access

authentication host-mode multi-auth

authentication port-control auto

authentication event fail action next-method

authentication order dot1x mab

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

The certificate is installed on the PC via Group Policy.

If I got to adapter settings on the PC I can see that dot1x is enabled and this is being pushed via GP. 802.1x enabled, use smartcard of certificate.

These are ticked.

@alliasneo1 so there is a certificate in the user certificate store?

If there wasn't that would explain why it's failed over to attempt MAB.

Hi,

I've checked the certmgr console and added the certificates - current user snap in. When I click on Personal, it says 'there are no items to show in this view' and at the bottom it says 'Personal Store contains no certificates'.

Is this a Group Policy thing that isn't showing me the certs or does that mean it is actually empty and the cert hasn't been pushed to the machine? Is there any other way of looking at user certs?