I`m trying to setup Anyconnect VPN on ISE 2.4 with Profiling Services Based on AD Probe to give access only AD Joined computers. is there a real Anyconnect+AD-Host-Exists setup guide and Is it possible to do this without 802.1X ?
-You have several options to accomplish you goal imo. Are the computers permanently remote or do they come to site & then go remote? If they are on-site & remote then you could profile machines based on the AD-Host-Exists EQUALS true to then add those MACs to a L2 endpoint group that then gets referenced in your policies. Something I do in my environment is actually deploy ise posture that checks certain files, registry keys, and even for unique domain software/services. One reg key I check for on Windows hosts determines if it is an actual domain joined host. That key is: HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\ value name MachineDomain string EQUALS <your domain>. Something else you could do to accomplish this is rely on client provisioning portal <other conditions> and just set one of the conditions to external ad group equals <your ad group>. Good luck & I strongly recommend looking at this: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
HTH!