What about the authentication part?

For Authentication, would it check the ID Store specified in Authorization rule?

It depends on Steps 3 ~ 5 of Add a Certificate Authentication Profile

In case that no identity store chosen in Step 3, then ISE uses those certificates designed for client authentication in Trusted Certificates only.

Thanks hslai.

Could you please have a look at the attached CAP Profile?

Would it be checking ID Store specified in Authorization Rule?

If yes, what happens during Authentication? How would the user get authenticated?

The "Identity Store" is set to [not applicable] so the authentications will be based on trusted certs only. ISE will still perform groups/attributes lookup using the subject alternative name as user name if your authorization policy rules are using those identity stores.

Thanks hslai, that makes sense.

Correct me if I'm wrong:

Authentication Part: If user certificate is from trusted CA, the user gets authenticated and no ID Stores would be checked.

Authorization Part: Subject Alternative Name would be checked in the ID stores as per Authorization Policy.

Correct.

Is there any basic config example for certificate based authentication both for ISE and Client side?

ISE Training has links to various materials.

We have some GOLD labs via SalesConnect but these offerings are ending this Thursday.

BYOD -- shows using ISE BYOD to provision a certificate to an Apple iDevice using ISE internal CA

Integrating ISE with Active Directory -- shows using GPO in AD to provision certificates and authorize using AD.

Thanks hslai for your comments and suggestions.