How to Configure ISE/ISE-PIC for User Control

You can use ISE/ISE-PIC in any of the following configurations:

With a realm, identity policy, and associated access control policy.

Use a realm to control user access to network resources in policy. You can still use ISE/ISE-PIC Security Group Tags (SGT) metadata in your policies.
With an access control policy only. No realm or identity policy are necessary.

Use this method to control network access using SGT metadata alone.