This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Please bear with me if my question seem a bit odd as I am new in world of ISE.
So I am looking get ISE in my environment. As there is concept of groups in ISE so what about my wired users For suppose I have 2 departments so I will make 2 groups (Eg. HR and IT) and each department have 2 wireless and 2 wired users, do they still get all access or I need to make separate groups and/or policy for wired users.
IMO that question depends on requirements. I suggest taking a peek at the following resources to help understand the capabilities and variety of options you have with ISE:
Typically we would separate the policies on ISE for wired and wireless, but that does not mean you can have a policy set for both wired and wireless and apply the same exact authorization profiles.
Not necessarily, it depends on how you want to build up your policy set. Take a look at this basic example, and see how the policy set can be conditioned to accept wired or wireless dot1x traffic:
Keep in mind that different network device types use different authorisation controls. For example, Catalyst switches support using downloadable ACLs (dACLs) while AireOS-based WLCs (5508, 5520, etc) leverage named Airespace ACLs. For this reason, we typically use different Policy Sets for Wired vs. Wireless and different Authorization Profiles for those sessions depending on the control that is being used.
AuthZ Proflle = 'AuthZ-Wired-Computer' with a DACL
AuthZ Profile = 'AuthZ-Wireless-Computer' with an Airespace ACL