On the certificates you have imported you have the "trust for client authentication" checked for all certs? I cloned the default computer template for my computer certificates just to have the auto-enroll settings and that is working fine.
The reason ISE rejected the certificate was because an extra extension added to the certificate.
The server team added this extension to the 'Application Policy Extension' and then made it critical, they wanted to have something extra to filter on.
ISE rejected the certificate because it couldn't validate the extra extension and a critical extension has to be validated. When we removed the 'Make this Extension Critical' check mark from the certificate it worked as it should.
5400, Failed-Attempt, Authentication failed, User authentication failed. ... 44, 5412, Failed-Attempt,dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. ...... There seems to be an internal problem with the client's supplicant,
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...