thanks,

just another question. what compliance module version should i use? cause i think hotscan is a independent module after 3.x anyconnect compliance module. should i use anyconnect compliance module 3.x or 4.x? 

If your have AnyConnect 4.3 or later and ISE 2.1 or later then you should use AnyConnect Compliance Module 4.2 (latest release for Windows clients as of now is 4.2.508).

Otherwise use the 3.6 module. (3.6.11017 is the latest build).

They can be found on the AnyConnect download page:

https://software.cisco.com/download/release.html?mdfid=286281283&flowid=72322&softwareid=282364313&release=4.3.05019&relind=AVAILABLE&rellifecycle=&reltype=latest

Actually I have ISE 2.0.0.306 and AnyConnectDesktopWindows 4.3.00748 and AnyConnectComplianceModuleWindows 4.2.508.0

So I guess I should use 3.6 module. right?

I have tried All these but I got no where. I just need to see posture pop up from anyconnect. here is my configuration:

1. I have uploaded "anyconnect-win-4.3.00748-k9" on my asa.

2. I have Installed "anyconnect-win-4.3.02039-pre-deploy-k9.msi" on my computer.

3. I have uploaded  "anyconnect-win-4.3.00748-k9" on my ISE.

4. I have Uploaded "AnyConnectComplianceModuleWindows 3.6.11017.2" on my ISE.

5. I have configured "anyconnect profile" with "*" in "server name rule" field.

6. I have configured "anyconnect config" with both anyconnect and compliance and "ISE Posture" checked and configured profile in it.

7. configuring a client provisioning rule.

but when i try to connect to a remote VPN, I just get connected message and there is no sign of posture checking.(I don't need to check any rule).I'm aware that I have not configured the Authentication and Authorization Rules, but the posture process should start anyway, right?

You need to have the Authorization policy redirect clients for posture to kick things off.

Please have a look at this document:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

Note it instructs to check in the AuthZ policy if a client is compliant, non-compliant or unnkown posture status. Unknown status forces the client to the Client Provisioning Portal where the Posture Agent is activated and, once that happens, the process cycles back through as a resuilt of CoA and we should then be able to ascertain Compliant or non-Compliant status.

I did it step by step(except I'm not using nac agent and I'm using anyconnect agent). but posture does not work. I checked my ISE logs and the posture status is just empty and nothing is being showed in my ISE radius logs. What could I have possibly done wrong?

You do have Apex licenses - correct?

yes. I have that.

Actually I think that's because the posture status is unknown.

Hard to say what exactly you missed without looking through your system. I've done several deployments with Posture and have never seen this issue.

Are you getting the AnyConnect Posture module installed when it deploys to your end users? Have you built a Posture profile to govern the behavior of the module? Here are a couple of examples:

https://communities.cisco.com/docs/DOC-69831#jive_content_id_The_Client_Provisioning_Resources

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200508-Configure-ISE-2-1-and-AnyConnect-4-3-Pos.html#anc10

Can you open a TAC case?