Thanks for the explanation, maybe I was not clear enough.

I want to do RADIUS authentication (802.1X or MAB), ISE is the NAS, a physical switch is the NAD.

My problem is, the physical switch port connecting to the physical server that hosts dozens VM using VMware ESXi is a trunk port because the VM are sitting different VLANs.

[ISE]＝[SW]＝(trunk_port)＝[ESXi hosting multiple VM in different VLAN]

To my knowledge, I think the link between an authenticator (the switch) and the supplicant (software inside the VM) must be a layer 2 access port because they use EAPoL to initiate the RADIUS authentication.

If I can't simply configure the trunk port to do the authentication, is there any workaround? 

Thank you for the help

EAPOL is EAP transported over Ethernet so it should technically support 802.1q.

I delved into more documentation,

In one document I've seen a few switches that supposedly do support this configuration:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/config-ieee-802x-pba.html

However, this seems to be contradicted in other documentation which states that 802.1x over a trunk is for Cisco NEAT (Network Edge Authentication Topology). Both these documents state that the 3850 is supported.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-6/configuration_guide/sec/b_166_sec_3850_cg/b_166_sec_3850_cg_chapter_010000.html

Perhaps the earlier documentation was refering to NEAT when it mentioned that static trunks are supported. If so, then your use case isn't supported for campus switches.

For Nexus switches, it seems clearer:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_011001.htm...

They even have an example there of how to configure 802.1x on a static port with "dot1x host-mode multi-host". 

If you're using a campus switch, and a modern image, maybe try configuring it the way it's done on a Nexus trunk and see if that works well?

Thanks for taking your time for this. I found someone asked dot1x on trunk port before and apparently Cisco gave the answer and it was NO. I don't know if the newer IOS version supports this or not.

I am using C3650, C2960X and C9200 models. I can configure the port (trunk mode) with 802.1x authentication commands and didn't get the error messages they said when enabling 802.1x. 
(dot1x pae authenticator 
authentication port-control auto 
authentication host-mode multi-auth)

However, the supplicant fails to initiate the authentication. 

I think one of the kinda silly solution is to put an access switch in between, one access port per one VLAN...

I also considering using Cisco AVS in the VMware hypervisor but I guess I may take my time reading the documents.

What a rough start for my first time ISE deployment.

Thank you for the help.

It does sound like an odd demand for campus switches. If possible, maybe you can try a nexus switch to see if it truly does support the design you're looking for. If that's impossible (or infeasible) then perhaps see whether 802.1x is the right solution to begin with.

If you must use 802.1x, here are some options:

1) Change the switches to Nexus 3k where necessary (assuming the documentation is correct)

2) Using a vSwitch. Nexus 1000v isn't supported in recent versions of vSphere, but it does support 802.1x per VM. As far as I know, the native DVS for vSphere doesn't support this.

Is this hypervisor found outside your datacenter in a place which isn't secured physically from the rest of the end users?  Perhaps 802.1x isn't necessary and something less secure is acceptable, such as TrustSec or MAB?