When using the “LDAP Host Group” component of a NAC rule, it means that the Hostname resolved by NAC must be present in the LDAP server’s database in order to match that component.  If the Hostname was resolved only by DHCP,  and therefore has no FQDN, chances are the LDAP lookup will fail.  In this case you can try changing the Host Search Attribute in the associated LDAP Config from “dNSHostName” to “name”.