Another question - I am trying to authenticate a corporate user with a corporate device to gain access to the network.

The corporate device has two certificates – one for the machine, another for the user.

I want to match the hostname of the computer against my AD’s “domain computers” group & domain user name of the user against my AD’s “domain users” group.

I only have base license of ISE and not any other additional licenses. I am using windows native supplicant and not any other additional supplicants.
Is it possible to achieve this? If yes, how to configure my windows machine to send both machine and user credentials to ISE?

What you want to do is possible with a base license, it is a standard authentication flow. If you want to match/authenticate both the machine and user at the same time though then you will not be able to do this with the native supplicant. You would have to leverage Anyconnect's NAM module, you can read about this if you google NAM eap-chaining. I can find you a guide if you have trouble locating it.

With the windows supplicant you can do both machine and user authentication, but it is one at a time. Ex. machine boots up and performs machine auth, user then logs in and performs user auth. The native supplicant wont chain machine+user at the same time.

With NAM it usually looks like this;
machine boots up and nam supplicant sends machine auth. User logs in and then NAM sends both machine+user auth attempt chained in one.

Hi, Thanks for your response. I would like to try the windows native supplicant and i am fine with the authentication in succession - machine authentication during bootup & user authentication later. Could you please let me know if there are any guides to configure my windows machine for this?