We are keen on considering an agentless ISE scenario in order to avoid adding another ‘agent’ on the end point. This will also be a requirement in dealing with endpoints that are not corporate managed, or nonsupplicant devices (thermostats, cameras, etc).
We know the ISE agent does posture assessment with simple or compound condition check and remediation. No issue with that.
But, in the agentless scenario –
can ISE do compliance check for Anti-Virus and OS Patch levels and offer remediation link
check if hosts are part of domain or security posture of endpoint
We need a “quarantine” network/segment where endpoints that fail can obtain the required tools and software to be able to connect to corp network
I would suggest to use Cisco Temporal Agent, which replaces NAC Web Agent. It's a native application to download to the Windows/macOS endpoints, without installation, and to evaluate for the posture compliance.