I am having devices that all of a sudden will not use NAC and it is under one of two conditions.
1. If the device has more than one certificate and one of them is not a client auth or doesn't have email as the subject name or
2. The device has two client auth certificates and one of them is expired.
In both cases there was not an issue for several weeks and then all of a sudden the device stops working.