I am seting up an evaluation deployment of the Cisco ASA SSL VPN. Our intended use will be as Client (AnyConnect) Access for Employees and as Clientless Access for third parties (i.e. contractors, consultants, alumni, etc.). Both will use username/password for Authentication. For Employees, we want to take this one step further and check for the existance of a certificate on corporate issued hardware. The certificate would be issued by an internal CA (and we do not currently use Revokation Lists). I have found that I can set this up in two methods; either as a Prelogin Policy to check for the existance of the certificate, or within the Connection Profile Authentication as Both. If I use a Prelogin Policy I understand I need to map the Failure case to an appropriate policy to account for the third party access.
What would be the benefits / disadvantages in selecting one certificate check method over another? I'd trying to avoid being short sighted in the deployment and do not see how one method may be more or less adventageous that the other.