Environment will have a publicly signed certificate installed on ISE as system certificate for EAP and portal use. In addition ISE is authenticating client devices via EAP-TLS using certificates signed by private a CA on company network. Need to make sure that only certificates signed by the internal CA are authenticated and not any certificates signed by the same public CA. Is it only trusted certificates that have Usage: "trust for client authetication and syslog" that are used for EAP-TLS client authentication? Need to make sure that the system certificate used for EAP and other trusted certificates are not used by ISE for client certificate authentication.
I have come across this kind of scenario before where we made use of a differentiating parameter (SAN) in the certificate template and referred the condition in authorization policies.
In your case if a client comes with a certificate signed by the public CA it should also match the condition for the parameter in the authorization profile. Since you own the internal CA you can come with a unique identifier and prevent clients presenting certificates signed by public CAs.
I guess my question is are authorization policies necessary in this case? Will the Usage: "trust for client authetication and syslog" setting on the trusted certificate limit EAP-TLS authentication to only certificates signed by that trusted root?