We are planning to use ISE for client certificate authentication.
When the client connects to the Any connect VPN the client certs are checked with the PKI infrastructure.
After the client has valid cert the client will use RSA token to authenticate.