Thanks ROB...Appreciate your swift responses always..

Thanks Rob and Marvin.

i was wondering if i can restrict the RA VPN users to access the anyconnect client only by the registered domain PCs(like MAC addresses or hostname etc) so in that case can i save the money(for DUO) and secure the connection also, even if username and password is stolen still correct device would be required to login via ANyconnect.

Hope i wrote correct what i meant... so is it possible ?  

We have a single ISE node in our infra working to provide wireless 1) Guest access and 2) wireless Staff access for domain PCs to join via machine authentication and PEAP. However its a single point of failure.

I want to know if its possible to bring the RA VPN users via ISE and authenticate their PCs whether its domain PCs and then allow access to the ANyconnect client to connect the VPN ?

Secondly, if we go for this do we require any licenses on ISE (like VPN on ISE license) etc.

What you guys suggest for my current environment considering single ISE node and presently the FMC and FTD has no contact with ISE whatsoever...Pls guide 

is there any way we can check the registrykey like its available in Fortigate FWs to verify the device before connecting to RA VPN so in this way we can prevent personal devices to connect and allow only domain PC etc.

Thanks Rob,

We do not have ISE appliance. is there any other way we can achieve via FMC or FTD?

Not with the FMC without ISE no. If you were managing the FTD locally using FDM you could configure DAP, but this is not fully developed yet.

In your situation if you deployed a certificate to your domain computers you could ensure only these computers would be able to authenticate.