Hi @Aref Alsouqi , thanks for the feedback. I haven't tried this but let me check on this part.

hi Aref

on the Cisco switches running .1x ip device tracking gets utilized automatically. No need to configure it explicitly except one needs tuning of it. 
4500SW#sho inve | i 45
NAME: "Switch System", DESCR: "Cisco Systems, Inc. WS-C4507R+E 7 slot switch "
...

4500SW#sho run | i device tra
4500SW#sho ip device tra all | ex Gi|^$
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 10
IP Device Tracking Probe Auto Source = Enabled
Probe source IP selection order: SVI,Zero Source
-----------------------------------------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
-----------------------------------------------------------------------------------------------
Total number interfaces enabled: 154
Enabled interfaces:
4500SW#

9300SW#sho inve | i 93
NAME: "c93xx Stack", DESCR: "c93xx Stack"

...

9300SW#sho run | i device tra

9300SW#sho device-tracking database | count Gi
Number of lines which match regexp = 10

Maybe that is dependent on the platform or maybe on the very last releases? with many deployments we do, we have to go enable it manually, so not really sure if that is platform or release specific.

IP helper would only help to feed ISE with DHCP attributes related to the endpoints, and that will be mainly used for profiling. But I think IP device tracking does not feed ISE with anything, it is mainly used to populate its database with the interfaces, MAC addresses and IP addresses of the connected endpoints. IP device tracking is essential to be enabled on all the endpoint interfaces when it comes to dot1x, it is responsible to populate the endpoint IP address on the authentication session, without it, we would see unknown IP address. It is also essential when it comes to dACLs, it allows the switches to swap the any keyword with the actual endpoint IP address, without that, dACLs would not work.

Regarding DHCP snooping issue, I would recommend to verify if the issue would be related to option-82. That might be enabled, depending on the design, to prevent the DHCP snooping database population.

DHCP-data previously collected by device-tracking r sent to the ISE within accounting messages.

Maybe you are referring to device sensor, not device tracking. Device sensor collected details are sent to ISE through RADIUS accounting messages, but as far as I know, that is not the case with device tracking.

did u check the ip dhcp snooping is enabled globally & on the VLAN on the switch?

P.S. with regard to ip device tracking: in some past we had problem with profiling on the ISE even when there were DHCP-data previously collected by device-tracking sent to the ISE. we then configured ip helpers to ISE on the affected SVIs even thought is didnt make a lot of sense keeping in mind the needed data are already sent to ISE by the access switch. but this extra-addon resolved our problem.

P.P.S. there is another approach to apply device-tracking policy on the VLAN level (this is how it works by default if u didnt customize device-tracking):
EX:

device-tracking policy DEVICE_TRACKING
no protocol udp
tracking enable reachable-lifetime 120
vlan configuration 1-4094
device-tracking attach-policy DEVICE_TRACKING

Hi @Andrii Oliinyk , yes i double confirmed that the dhcp snooping is enabled in the switch and as well in the user vlan.

You mean I need to put the dhcp helper address in the L3 switch where my L2 switch is connected? I now remember also similar before that I configured a dhcp helper address but that time I was using ClearPass. Thanks for this.

i'm quite surprised u dont have dhcp-snoopi binding db containing something. may be there were no dhcp activities from the endpoints attached to the switch? what does "sho device-trac data" output? 

Hi @Andrii Oliinyk , i double checked it that the endpoint is set to acquire IP from DHCP and I confirmed also that it can after a successful authc/authz in ISE, the endpoint was able to got an IP but still the dhcp snooping DB in the access-switch does not have any data.