I am working on an issue where the client is needing to use NAC agent and AnyConnect posture module in parallel while he migrates all clients to AnyConnect. During testing, he has discovered that there are limited CPP conditions to choose from in order to differentiate the two. The majority of customers use AD groups or Device Location/Device Type while using both NAC agent and AnyConnect posture module simultaneously but he would not like to go this route if possible.

What has been discovered by the client is the attribute ConfigVersionID, is a unique attribute for NAC agent and AnyConnect posture module, which can be seen in the Live Logs upon authentication. When a client machine has the NAC agent installed, this attribute value is always a specific number and when AnyConnect module is installed, it is always another specific number. We can see that this attriute is a condition available in the ISE policies, but not the CPP policies and cx would like it added as enhancement request. But before this is done, I want to confirm that the attribute ConfigVersionID is actually a good way to use in differentiating posture agents (NAC Agent/AnyConnect), since I can also see this value shows up in the Live Logs for clients that authenticate without the NAC agent or AnyConnect posture module installed. Your assistance on confirming what this attribute value truly represents is appreciated before an enhancement request is filed to have it added as a condition in CPP policy.