Hi All,

we have 3 Authorization Policy for Posture

1) Posture status unknown > redirect to Cline t Provisioning Portal to install Posture Module for new client . DACL applied to limit only ISE and DHCP/DNS access.

2) Posture Status NonCompliant > Apply DACL to allow only DHCP/DNS and Internet (for remediation work like signature update) 

3) Posture status Compliant > Apply DACL permit all

when user finish installed Posture module, it goes through posture policy checking, and if the user not compliant to any posture policy, Anyconnect shows pop up windows with Remediation Timer of 4min (default) . Strangely during this Remediation period, the posture status of client is shown as Pending in ISE live log. During this time , user Match unknown status rule and thus  has no network access to do any remediation work. Unless the timer expires or We forcefully cancel the remediation Pop up window, then only it turned into NonCompliant status. Is this expected behavior? 

can Anyconnect just notify user there are not compliant on which posture policy and straight away into NonCompliant state instead of waiting for Remediation timer expires ?