Hello fellow engineers!  I have been fruitlessly searching for this solution for days and need your assistance.  I also posted this subject on the Cisco Support Forums.

KEY COMPONENTS

ISE 2.1
ASA 5512-X 9.5.2
Windows 7 Pro (with AD provided machine certificates)
MS AD
AD Certificate Authority
The ASA VPN setup is complete and successfully tested utilizing ISE as the aaa-server.  Differentiated authorization is accomplished via AD user group membership and DACLs.  All of that works flawlessly. 

My client now requires an additional condition for authorization, which is validation that the endpoint belongs to the organization.  I would prefer to utilize the machine certificates, though I would settle for verifying that the machine is in "Domain Computers", or even both. 

I realize that the authentication protocols in such a scenario are limited and do not include EAP-FAST (which would allow me to utilize the AnyConnect NAM client and ISE for EAP Chaining).  As such, I need a solution to add machine authentication/validation to my current AuthC/AuthZ policy for AnyConnect SSL VPN.  I have tried a number of options on my ISE AuthZ profiles, though none have worked. 

Has anyone done this before?  I found an old post from 3 years ago that vaguely described this, but I couldn't make heads or tails of it.  Thanks for your help!