We happen to use our ISE with the device management license to control switches, firewalls, webapps (yes webaps), Infoblox, etc. with a combination of Radius policies and TACACS+ polices. FWIW, most people here interchange "NAC" with the word "ISE" now in meetings, so I jokingly call ISE device management TACISE.
Anyway, we have users defined with Windows roles, which are used for some devices with Radius or TACACS+ protocols. In some cases those policies send back attributes, like you'd see on Infoblox appliances or Palo Alto Firewalls, and in some cases they check individual commands, like on Cisco ASAs, Cisco switches, certain voice gateways, etc. You can go as deep down the rabbit hole as you want, control-wise. Just be sure to define your device groups correctly and your policy sets or radius attributes will work fine for the desired group + equipment combinations.