The root of this issue was ISE internal mandatory EAP-TLS (and any outer method e.g. FAST, TEAP, and PEAP) checks and supplicant DoD CAC user certificates. Current DoD PIV (SAN contains User Principle Name UPN = FASC-N) certificates have a key usage of Digital Signature and enhanced/extended key usage of Client Authentication. ISE will not perform the TLS handshake for EAP-TLS without the supplicant certificate key usage of key encipherment.

The work around to this issue is to browse to Administration > Settings > Security Settings and check the box for "Accept certificates without validating purpose." ISE will then have no issue performing EAP-TLS handshakes with supplicant certificates that do not contain the key encipherment usage. Per TAC the requirement/check for key encipherment was added in ISE 2.3. Confirmed the workaround to function in versions 2.6-3.1. ISE documentation regarding supplicant certificate key usage requirements does not provide sufficient details in regards to this issue. This workaround may not be required in the future if DoD PIV certificates have the Key Encipherment usage added to their CA template.

Also reference CSCvz78547 in regards to the workaround and lack of guidance within the current admin guide on this issue.