We have used IPSEC with  VPN 30XXs and ACS 4.3 (or 4.2?) for years with the older VPN clients but with Windows 10 we can no longer make it work. Time to switch to Anyconnect.   We have a few ASA 5510/5520s with Anyconnect Premium peer  support so we can move off IPsec. I have it working using TLS with the ACS  but I think we need a new AAA server upgrade too.

Questions.. What is the best / cheapest way to utilize somewhat of a two factor authentication. Currently it seems using the ACS that only a user name and password (no group user/psw) is used to authenticate in. A paid cert on the 55xxs to avoid the security issue is not a problem but certs for each client would be cumbersome to manage. ICS seems to be the way to go for managing users unless there is a easier/cheaper compatible product.   

Any directions of the best way to go would be appreciated since there appears to be a lot of options - all with additional costs. We want full IP connectivity like we have with IPsec since we also have Citrix GW for specialized connections. 

The only options I might want is to check for an antivirus service. We do not allow split tunneling for users allow I had it working during testing (Split tunneling only for admin users).

We will stay with Anyconnect 3.x since it is free and supported for 3 more years from what I read. AC 4.x seems to imply additional client charges from what we currently have.

Thanks!