We use Cisco APs + WLC9800-CL + ISE3.2 + C9200 + dot1x + DVLAN + dhcp snooping. For access ports I attached tracking, for APs ports - tracking disable.
When PC boots up it uses it's own special auth certificate and switch or AP puts it to special PC VLAN. When user logs on the system uses user's own certificate and gives a new VLAN based on account AD group. Everything works fine - when PC gets it's VLAN it also receives ip from pool of this VLAN. When user logs on ISE sends a new VLAN and PC/user session requests new IP from department DHCP VLAN's pool.
However, If I check ISE's session logs I see only PC's IP address, twice. The first time from PC account and the second from user.
This is not I expected to see. I guess ISE could see that user switched to a new VLAN and get a new IP address. And can account it. It doesn't matter if I use wire or wifi. ISE starts showing real user session IP address in logs after some time. But not immediately.