I know that you can use ISE as your authorization server. Essentially you would CAC auth against your VPN concentrator and perform verification of user cert. In your configuration profile under authentication method you would setup certificate only. You would then enable authorization, ensure that users must exist in the authz database, and ensure that specify certificate fields to be used as username is set to UPN or specific attribute that you wish to map the user with. Then assuming you have ISE setup properly you could map the extracted UPN to an external identity source such as AD and push authz profile accordingly. As for using ISE for authc I have only seen this done with username/pass extraction. IMO the downside is that when extracting something like the UPN, AD wants the user password associated with the UPN & not the actual cert pin. If you enforce CAC only in the environment then that would be a show stopper. HTH!