Thks gbekmezi and hslai for your replies,
Let me start answering that yes, I have two servers configured in that section.
Now let me re-phrase my issue providing a little more info.
When I connect my test-laptop to the switch, it applies the limited
connection profile as expected:
switch#sho authe sess int gi1/0/2 det
Interface: GigabitEthernet1/0/2
IIF-ID: 0x101B180000000BB
MAC Address: 8cdc.d4cd.8a8f
IPv6 Address: Unknown
IPv4 Address: 172.20.40.100
User-Name: 8C-DC-D4-CD-8A-8F
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1428F70000107F7EEE74B2
Acct Session ID: 0x000016C6
Handle: 0x9F00002B
Current Policy: POLICY_Gi1/0/2
Server Policies:
Vlan Group: Vlan: {vlan-id}
ACS ACL: xACSACLx-IP-EASYCONNECT_ACL-5b3409b5
Method status list:
Method State
mab Authc Success
But no matter I login successfully into domain, profile does not change to full-access.
I have noticed that full-access authorization policy inside my EZConnect policy does not get any matches, the condition for this policy is
"{myDomain} ExternalGroups EQUALS {myDomain}/Users/Domain Users".
All matches go to default policy which has the limited-connection profile.
"Domain Users" group was included in "Network Access>Ext Id Sources>Active Directory>Groups"
I am using default CoA port (1700), my ISE servers are behind a firewall as expected, but I could not see any packets going in that port (on both FW´s interfaces) just 1812-1813 packets.
FW has policies to allow CoA traffic to reach ISE servers.
I am not pretty sure who triggers the CoA (the switch or the ISE server) and I have checked connection between ISE servers an AD and all test passed.
Step latency=10003 ms) 
