Easiest way to start troubleshooting is to get a spare laptop and simulate the issues yourself.
After authenticating (with AD credentials) you can log onto Clearpass, open Access Tracker and filter for that spare laptops mac address to see all its authentications.
That will basically show you what service is used along with alot of other information. Basically Access Tracker is your best bet at troubleshooting authentication issues with Clearpass.
If your userrs are fiorced to reauthenticate with their AD credentials then surely something is wrong with your MAC authentication.
Do you see any MAC authentications happening in Access Tracker? If not, your MAC auth configuration on the controller or switch is missing! You need this to do MAC caching.
If you see alot of rejects, see what service they match. Is this the correct service? If it is, why is it failing?
Depending on what you find using this, we will need additional info again.