I don't think ISE checks for extended key usage on the cert to ensure client authentication is enabled, but never tested that.  The 802.1x supplicant should only be using certs with client auth EKU enabled.

I usually tell customers ISE at a minimum will do the following

1. Has the cert been issued by one of the trusted CA certs loaded into ISE that have the "Trust for client authentication and syslog" option set.  ISE will not authenticate certs from any CA loaded into ISE only the ones with that option checked.
2. Is the cert valid, i.e. not expired.

Optionally, if configured ISE will also do CRL or OCSP revocation checking.

If the certificate profile used in authentication is tied to AD the ISE will ensure the identity in the certificate is present in AD.

Thanks for the input.  Specifically what I'm looking for is whether ISE checks if a trusted certificate has the Cert Signing EKU.

What prompted the question was configuring 802.1x on phones with CUCM.  The CAPF certificate on Call Manager was signed using the Web Server template, instead of the Sub-CA template, so it didn't have the Cert Signing EKU.  Needless to say, things didn't work.

What I suspect was going on, (but I can't verify without a packet capture from the failed requests), is that the LSC certs that were being applied to the phones by Call Manager were using the self-signed CAPF Sub-CA certificate (CAPF-abc12345).  So ISE couldn't authenticate that, since it had to mis-configured WebServer CAPF (CAPF-xyz12345) cert in the trusted store.  But the question that I'm being asked is, "Does ISE check whether a trusted cert has the cert-signing EKU?"

The authentication failure details don't tell you what cert was presented from the client, it just says the handshake failed.

Thanks again for the help on this.