I have been researching performing machine authentication for compliance reasons using our ASA applianaces and SSO with MFA. I am running into some road blocks. I know that we can use a AAA instance using Machine Certificates/Both and use our software tokens with PIN and token key. But the company is using Authenticate approve methods in a Hybrid Cloud environment now and using from what I understand is plain Radius OTP AAA running through Cisco ISE. We could continue this if needed if the requirement is fulfilled. 

This seems tricky to switch the main tunnels group for the current config over to Machine Authentication (The company uses the local CA for MAB, wired and wireless clients). I am sure I am missing some keys points but would it be possible or practical to setup a management tunnel to perform the machine authentication to validate domain access machines?  And create a parent primary DTLS tunnel for actual AAA logins to the enterprise network for access?  

My company has most Cisco tools to accomplish this but currently we are using a ASA 5500, ASAV and Meraki appliances. We also could stand up another ISE CWA DMZ server if needed.  A COA “Change of Authorization” using a webified Radius Captive Portal is also another possibility. 

It it possible implement a separate management tunnel instance for machine authentication and use another instance for User logon access?

Assumptions: I expect to be corrected here.

• Using SAML on the ASA means that is the only Authentication Factor available and can't use certificates
• ASA doesn’t support DOT.1x is this true it's a a wired IOS NAD
• It’s possibly to use posture for Machine checking... I understand there is a way for it to be transparent "agentless" and just allow access to SSO web page. We would rather not be mixing supplicants just because of the lack of DOT.1x support on the ASA if true
• Meraki does support Anyconnect and SAML as does Firepower appliance

Thanks!!!! In Advance!