The bare minimum is a simple RADIUS Access-Accept which allows the endpoint on to the default assigned VLAN with no other security features. This is the most scalable and is how you would achieve the 2000 maximum sessions in the doc referred by @balaji.bandi .
However, On or Off the network is pretty rudimentary these days. The reality is you probably have a variety of endpoints or scenarios you will inevitably want to handle. The reality is it depends on your actual authorization implementation on your switchport and you haven't told us how you want to enforce the authorizations on a port. ISE can do any enforcement options available via RADIUS which is typically VLAN, [d]ACLs, and security groups (SGTs).
You typically only get one Data VLAN and one Voice VLAN. If you want to cram 3 or more devices into a 3 or more VLANs per switchport, that is not going to work and they are going to share the Data VLAN. Is that OK for you? Yes, you can dynamically change the VLAN since it is 802.1X but then it's a last-one-wins scenario for all of the endpoints on the port and you might have L3 IP DHCP refresh problems if you change VLANs on endpoints.
Are you planning to do L3/L4 ACLs on a switchport? OK. Your limit then becomes the number of ACL ACEs (access control entries aka lines) per switchport.
"How many ACEs are there per switchport?!" : It varies per access switch platform but is typically 32-64 ACEs per ASIC.
"How do I confirm the exact number for the 9300/9400?!" : Ask the switching teams... I am not aware of an simple, convenient reference table.
So with L3/L4 ACLs, your max sessions calculation is below since you have not stated your ACL size or number of endpoints per port.
max_sessions = max_aces_per_switchport / (aces_per_endpoint * endpoints_per_port)
Finally there are security group tags (SGTs). There are SGT enforcement limits documented in Segmentation Strategy :
