Hi,
I have laptops connecting to the network via Wired and Wireless. I also have desktop connecting via Wired only.
About 50% of the time when the laptop boots up onto the Wired network, it gets the message "Bypassing AnyConnect scan — Your network is configured to use the Cisco NAC agent"
When I get this message, I have configured the option in the profile to scan again. This works and the client scans, becomes compliant and gains access to the network.
The laptop checks for Anti-Malware and also Windows patches. The Anti-Malware check against Compliance of 4.X or later. We are using 4.3.1453.6145 for the compliance module.
About 5% of the time, this occurs on the desktops, they check for the same Anti-Malware and also Windows patches.
Device | Wireless/Wired | AnyConnect Version | Compliance Module | Policy | AnyConnectConfig | | |
Laptop | Wireless | 4.8.03036 | 4.3.1453.6145 | Use existing policy | PTSB AnyConnect Config | | |
Laptop | Wired | 4.8.03036 | 4.3.1453.6145 | New policy that looks at AD group for Laptops | Wired-Laptops | | |
Desktop | Wired | 4.10.02086 | 4.3.2336.6145 | New policy that looks at AD group for Laptops | Wired-Desktops | | |
Both wired for desktop and laptop going to different AnyConnectConfigs which highlight the AC version and compliance module. All other settings are the same.
I have removed all 3.X conditions from ISE. I have removed all unused requirements that come built-in with ISE. I have removed all unused built-in CPPs in ISE. I now have only the base install and there is no NAC Agent resources, conditions, policies or remediations in ISE.
Any ideas.
