topic AnyConnect 4.5.04029 posture module behaviour in Network Security https://community.cisco.com/t5/network-security/anyconnect-4-5-04029-posture-module-behaviour/m-p/3559463#M255 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am deploying AnyConnect 4.5.04029 at customer location for posturing. My query is:</P><P></P><P>Even though I disable the posture Authz policies that would contain Web redirection, the posture module runs and scans the system. So, for example, if I have a policy that says "dot1x" then "permit access" and if I have the posture module, it still runs the scan which is not expected behaviour, because there is no Web redirection enabled at all</P><P></P><P>Steps performed:</P><P></P><P>1) Disable client provisioning policy - If I do this, then on posture module I get message "Bypassing AnyConnect Scan. Your network is configured to use Cisco NAC Agent". Ideally it should be "Policy Server not detected. Default network access is in effect"</P><P></P><P>2) As soon as I enable client provisioning policy, it goes for posture and sends report as well.</P><P></P><P>3) I also observed that when it runs the scan without web redirection AuthZ profile, it does not honor Audit mode as well. If machine is non-compliant, remediation is attempted in spite of posture being in audit mode</P><P></P><P>4) It is observed for both wired and wireless</P><P></P><P>Worked with TAC and as per TAC, it is expected behaviour beginning with ISE 2.2. I do not see this behaviour mentioned anywhere by Cisco.</P><P></P><P>Would appreciate if anyone can share their thoughts. Thank you!</P></BODY></HTML> Fri, 08 Jun 2018 07:20:21 GMT devvv85 2018-06-08T07:20:21Z AnyConnect 4.5.04029 posture module behaviour https://community.cisco.com/t5/network-security/anyconnect-4-5-04029-posture-module-behaviour/m-p/3559463#M255 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am deploying AnyConnect 4.5.04029 at customer location for posturing. My query is:</P><P></P><P>Even though I disable the posture Authz policies that would contain Web redirection, the posture module runs and scans the system. So, for example, if I have a policy that says "dot1x" then "permit access" and if I have the posture module, it still runs the scan which is not expected behaviour, because there is no Web redirection enabled at all</P><P></P><P>Steps performed:</P><P></P><P>1) Disable client provisioning policy - If I do this, then on posture module I get message "Bypassing AnyConnect Scan. Your network is configured to use Cisco NAC Agent". Ideally it should be "Policy Server not detected. Default network access is in effect"</P><P></P><P>2) As soon as I enable client provisioning policy, it goes for posture and sends report as well.</P><P></P><P>3) I also observed that when it runs the scan without web redirection AuthZ profile, it does not honor Audit mode as well. If machine is non-compliant, remediation is attempted in spite of posture being in audit mode</P><P></P><P>4) It is observed for both wired and wireless</P><P></P><P>Worked with TAC and as per TAC, it is expected behaviour beginning with ISE 2.2. I do not see this behaviour mentioned anywhere by Cisco.</P><P></P><P>Would appreciate if anyone can share their thoughts. Thank you!</P></BODY></HTML> Fri, 08 Jun 2018 07:20:21 GMT https://community.cisco.com/t5/network-security/anyconnect-4-5-04029-posture-module-behaviour/m-p/3559463#M255 devvv85 2018-06-08T07:20:21Z