We are only enabling those that support 802.1x and there are a handful, where we can import the cert & enable dot1x. 

I'm exploring on how to create/generate the cert from ISE and export it to be imported to the said device to be authenticated. 

Thanks for your suggestion for PxGrid, but we do not have the Plus license, hence couldnt use it

Any other suggestion on how i can generate the cert from ISE (to be trusted from the iot device) ? 

You could get a 90 day eval of the Plus license (100 endpoints). I am quite certain that once you have created those certificates, they won’t disappear from the system after the 90 days.  You might just get a license expiration warning. 
100 Plus licenses should not be too expensive in the long run. 

Thanks again for your prompt assistance.

Ive managed to get the zip file with all the certs required and imported to the IOT (enabled dot1x).

Created Authentication profile based on the Certificate profile (with relevant Authorization profile to permit the device with specific VLAN)

But, its not hitting/matching the Authentication profile that i wanted for it to check/read the certificate details. 

Apology if this sounds 'stupid', but i couldnt find a proper document for this anywhere..as im getting in circles or im looking it at the wrong place. 

I would send some screen shots but I am not near a computer at the moment. The authentication Policy Set needs an allowed Protocols that allows eap-tls and the authentication itself references a certificate profile that specifies if there are parts of the cert that you want to look up (eg the Subject or SAN) etc. 

have a look at the lab minute series video. This is video 1

https://www.labminutes.com/sec0274_ise_22_wireless_dot1x_eap_tls_peap_1

Thanks again for your reply, and i did have a look at the video before.

Yes, I've done below on the ISE :

- Allowed PEAP & EAP-TLS protocol

- Authentication Profile matching the Certificate profile ive created matching SAN (created via pxGrid) 

As for the client/supplicant :

- enabled 802.1x using certificate (eap-tls)

- imported only machine cert created from pxGrid  (there are a lot of other file which i dont think is needed, i maybe wrong again)

But still not 'hitting' the authentication policy ive created

post some screen shots of the Policy Set - details of the Authentication, and Authorization please.

Do you use the NAS (NAD) for anything else in that ISE server? Have you added it to the ISE Devices List and is the Radius shared secret correct? Is the NAS/NAD configured correctly with the ISE IP address and shared secret? 

Is this wired or wireless?

This is an existing setup, hence all the relevant NAS-CIsco SW (shared secret) are already in place. Below are the snippets :

1- Certificate Template

2- Certificate Profile

3- Authentication Policy (apology, have to amend some of the information due to Prod setup)

During testing, the device does not hit/match the IOT-Cert authentication policy at all, hence it wont be matching the authorization i wanted it to match. 

Great screen shots - that helps a lot.

Since this is an IOT device, are you 100% sure that the supplicant is correctly configured? In other words, is it sending EAPOL frames towards the switch? You might want to run a tcpdump on the ISE PSN node to confirm that the RADIUS packets do indeed contain EAP payload.

Here is a handy command to test whether the attached client speaks EAPOL (perhaps hardcode the port to access vlan in order to bring the interface up before running this test)

Test device on access switch port to see whether it has a configured supplicant

9300# term monitor

9300# dot1x test eapol-capable interface te 1/0/46

Mar 27 23:40:29.175: %DOT1X-4-INFO_EAPOL_PING_RESPONSE: Switch 1 R0/0: sessmgrd: The interface Te1/0/46 has an 802.1x capable client with MAC 7872.5d3f.a55a

When you connect the IOT device, what is the end result? Do you see EAP processing on the switch? Do you see the Steps that ISE took to process the Auth request in the Details?

I am not 100% sure that having two identical Authentication Conditions (Wired 802.1X AND EAP-TLS) will allow you to process the second Rule (e.g. Laptop-Cert) in your case. If laptop or IOT comes along with wired 802.1X and EAP-TLS then Rule 1 is satisfied - and then the cert processing is done and AD lookup etc. - if that fails, then I don't think ISE will continue to Rule 2. I would make each Rule a bit more specific, by including another AND operand such as "CERTIFICATE Issuer = 'blah'" to tell ISE to use that Rule unambiguously.

Thanks again for some of the troubleshooting steps, i will proceed to to test the port to confirm the IOT dot1x capabilities (well, the vendor did mentioned he tested with others and it worked, and it's configured for dot1x with eap-tls, which ive checked)

Ive tried to find a way to 'consolidate' both certificate option for Laptop and IOT, but couldn't, hence i created a 2nd authentication profile. 

I'm sure this is being used in other organisation where different certificate will be use or need to check. (this is where i did mentioned that i couldn't find the appropriate documentation)

Let us know how you get on.

When dealing with multiple EAP-TLS client cert "types" from the same NAS, then you can distinguish them during Authentication using the method I proposed. I have done this in a number of projects. You have access to the CERTIFICATE attributes during authentication, and therefore you can point ISE in the right direction regarding WHICH certificate attribute you are interested in for authentication (certificate profile selection).

The Policy Set will not continue processing if you have matched a Rule, but then proceed to fail during Authentication (e.g. IOT client cert  comes along, and you perform auth using the Employee client profile ... Authentication should(will) fail - and then the Access-Reject is sent to the NAS - end of story). You don't get to "fail through" to the next rule.   There is an option in Authentication called "If Auth Fail 'Continue'" - but Continue in this case means, continue to Authorization (and bypass Authentication). 

I think i managed to get it worked after few tries, as im not sure is the IOT device or ISE configuration issue :

1- No separate certificate profile needed (if there's one in place already)

2- Create cert via pxgrid (as suggested by you)

3- Imported Root and Machine cert to the IOT device (enabled 802.1x)

4- Create an authorization profile matching the cert details and assign appropriate access

Tested few devices and it worked   but I've been advised to use ISE PKI certificate instead of pxGrid.