Thanks @cjoseph.
Eh, frankly, most of our 'problems' ultimately stem from plunging headlong into this testing without a deep and thorough understanding of 802.1x/eap-tls at either a theoretical or practical implementation level at the Clearpass, network (wired and wireless), and endpoint levels. And some of the things we're running into are more a product of assuming something should act in a particular way without having done the research to realize otherwise beforehand. Go figure. :)
But, going back to machine authentication. Yes, we're caching the machine auth for 3 days currently. Ideally, we'd like to tune that down to a shorter duration. Until now, the vast majority of our users didn't shutdown/logout daily. They'd just lock/sleep the machine indefinitely (until we push a patch/update, etc. where we might force a reboot). Admittedly, it's a hassle to shut down all your apps/programs every day in order to force the machine auth. We're a small company but, even so, if it takes even 2 minutes to fully shutdown, logout or reboot, and reopen all your apps, (and I think that's a conservative estimate) that's over 13 hours a day of idle/unproductive time across a user population of only 400 employees (2 min * 400 users = 800 min >> 13.33 hours/day). I had just assumed that Windows would perform periodic machine auths while connected to the network after a user login and perpertually refresh/extend the Clearpass machine auth timer and avoid this login 'tax'.
And, not to conflate issues, we're also seeing where a user will boot up a machine while docked (i.e., connected to the wired network) and successfully perform a wired machine+user auth. However, the machine would not have performed a wireless machine auth. So, if that user undocks to, say, run off to a meeting, the machine won't connect to wireless b/c we haven't seen the wireless machine auth. So, again, they have to logoff/on or reboot. Maybe that's a GPO setting we can tweak but we have not tread down that rabbit hole yet.
Ultimately, we need to step back and take a more thorough assessment of what we're trying to do, get some actual training, do more research and testing but I just wouldn't have assumed things acted like this at the outset.
Thanks again for your input and expertise!