Hi @ravina-gurav 

This can be complicated.

The question is, what interface type are the VMs connecting to (e.g. LAN Switch Access Port, or .1Q Trunk?)

If the VM port group is on a switch trunk interface then I would say, forget it. It won't work. You should not enabled 802.1X on a trunk interface unless you're willing to send every unknown MAC address to ISE for authentication - IIRC, every learned MAC address for every allowed VLAN on that trunk will be subject to NAC.  It's been a while ... but trunks and NAC are mutually exclusive. People have been reporting success with Cisco FlexConnect WAPs on interfaces that are NAC controlled - ISE can download an interface template and turn an access port into a trunk. And even that is fraught with complications (IOS-XE 17.7.1 has a new command to assist with this problem)

I don't know if you can have 802.1X enabled on a VM when the Hypervisor's network uplink is a trunk interface on the switch.

And of course you won't be dedicating a physical Server NIC per VM ... that would solve the problem, but doesn't scale.

If the Hypervisor is using only a single VLAN (e.g. simple home lab) then the answer is simple - enable NAC on your LAN switch interface that the hypervisor is connected to. And then ensure you have rules in ISE that allows the MAC address(es) of the hypervisor, and have appropriate 802.1X policies for the VM's that are 802.1X enabled. In this case you would configure the Cisco LAN switch with "access-session host-mode multi-auth" - this means each MAC address must be authenticated by the RADIUS server.