We have a dedicated PKI server which is Windows and is integrated to AD

then you should able to push GPO and also client side try GP update.

The environment is SDN based therefore I can see dot1x auth failures from the specific switch and also ports users are connected

This good idea 

But then he never know what user have expired cert (authc failed) and user dont have expired cert

Let ISE failed authc to make him know that.

MHM

You can determine what devices do have expired certifciates, create a new authorisation rule matching on CERTIFICATE Is Expired True. You can allow those devices just enough access to renew certificates. You will be able to run reports on what devices match this rule. All done centrally via ISE.

That more better' 

MHM

Thank you Rob, let me try this option. GPO  to renew and auto enroll is already in place though

Hi @Rob Ingram,  tried following your workaround,however interestingly, I woke today with all devices on the network not able to authenticate and even reach DHCP server to get access to Internet. Unfortunately, Advantage Licence expired 19 days ago and we're in the process of renewing. I fixed it temporarily by enabling the Essential Licence after realising that it was disabled. But again despite all devices getting Internet, they are all placed on the guest. From the ISE license tiers, the Essential tier should provide basic AAA including dot1x authentication. Am trying to understand what could be the issue that all devices are on the guest, even domain joined Workstations with valid certificates and users. I would really appreciate for your input 

@Dkiptoo What features are configured in your authorisation rules? What rules are being matched or is authentication/authorising failing? Provide a screenshot of the live log of an example.

Hi Rob, 

I was able to trace the issue to AD synchronization issue and therefore could not authenticate users, defaulting  them to guest. Authentication & Authorization policies are fine. I would however l like however to get to know how do I apply the policy that will renew the certificated as earlier stated. Seems the policy in place didn't renew the user cert after making changes here "Policy > Policy Elements > Results > Authentication > Allowed Protocols > Default Network Access (custom name) and checking the box for “Allow Authentication of expired certificates to allow certificate renewal in Authorization Policy”."

@Dkiptoo well first you need to make the changes on ISE to allow expired certificates, that will allow the computers on to the network. Once they have network connectivity if the GPO configuration for certificate enrollment is working, then the computers should renew their certificates.

It's the windows GPO settings that will renew the certifictaes, example:- https://lostintransit.se/2024/11/07/leveraging-gpo-to-distribute-user-and-computer-certificate/