We have AD authentication working well for user authentication of AnyConnect sessions. We now need to restrict AnyConnect access to ONLY machines registered in AD. I'm not having any success with this. What's the best way to do this?
You can try split tunneling.. Define a standard ACL which would have only those host / subnets and allow in the group policy which is getting pushed to the users..
Also, you can use DAP policy to push access to certain host.
The most common method is to use a Dynamic Access Policy (DAP). That requires you have AnyConnect Premium and Advanced Endpoint Assessment licenses. If you do, we can refer to the Configuration Guide section on DAP. Typically we search for a registry key that identifies the domain membership.
The other alternative is to issue machine certificates and use the certificate as the first step of a two-factor authentication method. That does not require either of the two licenses I mentioned - only AnyConnect Essentials (although if you have them , that's OK).