We are on ISE 3.3 now; when we cut over to the new wireless controller, we were on ISE 3.1 maybe?

The wireless controller we have now is version 17.6.4 of the Cisco Catalyst 9800-CL

The authentication process for wifi depends on the machine having a DigiCert-signed trusted certificate loaded on it, which matches the one in ISE that corresponds to the admin portal and bears the same common name and subject altnernate name as the hostname.

i am working on WLC 9800 with 17.9.3 with ISE 3.1 with certs and 802.1x  all works as expected for me.

Iam sure user able to login to network and get what resources - this means ISE profiles working with radius.

where do you see this : the endpoint shows as "Disconnected",

So if I were to look at the WLC and see who is active, then look for the same endpoint in ISE under active endpoints, the person does not show up. However, if I look under Total Endpoints, then the use will show up in there as disconnected, and at that moment, the person's machine can be pinged and he or she is accessing the network. It will show here the person has been successfully authenticated.

Thanks for the suggestion! I will check it out.

I ran the one script to check the config-errors and I corrected one error that definitely applied, but it made no difference as far as ISE showing the devices connected.

Well I'm running (home lab) ISE 3.3 and 9800 with v17.12.1 and I see the same issue.  I have like 50+ devices connected on wireless and only my son's PS5 shows as connected.  All other devices show disconnected.  I run ISE 3.0 in production and I see all 100% connected under authentication status.

Just to clarify, I run MAB for testing on a PSK SSID and the PS% is connected to an RLAN.  I will try 802.1x and see if ISE  3.3 shows connected.

Yeah, I have noticed with ISE 3.3 that all the wired devices have come up as MAB and not 802.1X, even though they are domain joined and all have the trusted DigiCert-signed certificate.

So just tested with ISE 3.3 and using 802.1x and still, the only device that shows connected is the PS5.

Keep in mind that maybe your policy for wired has MAB, so you would need to look more into that.

I do see all my device under the active endpoints under live sessions, but under context visibility, only the PS5:)

I am seeing them under live sessions, but at least one of them is coming up with the wrong IP address in ISE (I am basing this on what I see on the WLC) and yet they do not show a connected status when I look under Total Endpoints, so they are not consuming licenses.

You might just want to open a TAC case and see what they have to say.  Under my licensing, I do see the license being consumed, which seems different from what you see.

I have opened a case, but it has not gone far.