I've been learning and tinkering with an ISE trial before recommending changes to our production nodes. Specifically, I'm figuring out EAP-TLS to see if we want to offer that option to our staff and students instead of just PEAP (which, unfortunately, given our password policy, requires modifying device settings after every password change).
We have an AD CA server and we generated a long certificate there and then used that to sign a CSR for an Intermediate cert from ISE and it is now using that certificate for device cert signing and EAP authentication.
I've gotten the BYOD flow working and can see how devices going through that flow get their certificate.
The next thing I'm trying to figure out is, if we were to do wired 802.1x everywhere, what is the process for generating a cert or certs for devices like APs, VoIP phones, and domain-joined computers? I'm assuming you don't have to onboard each device manually? If not, then you'd presumably generate a certificate on ISE that then gets installed on the WLC, CUCM, or in Group Policy for the domain-joined machines and they'd simply all share the same certificate? I know AD CA can generate machine specific certs for the domain-joined devices but I'd think ISE wouldn't trust them because they'd be signed by the AD CA root and not by the ISE intermediate cert.
Depends entirely on the device. Whether or not they support EAP-TLS and certificate enrollment using SCEP, GPO, etc.
Why are you considering the ISE CA at all? Is ISE an intermediate CA for your AD CA? Or a completely separate CA is used for BYOD? Why not trust your AD CA for client authentication and have that push certificates to your devices. The ISE CA is not designed to be an enterprise level CA.