If I'm authentication devices joined to Azure AD using certificate, since authentication of the devices via AAD is not possible, can ISE still perform certificate validation using OSCP/CRL (if configured) during authentication?
To prevent hub from being connected to an 802.1x port, add the command "authentication host-mode multi-domain" to the switch port. This command will only allow a single device in the data VLAN and a single device in the voice domain (voice VLAN).