Hi Team,

We're testing ISE2.2 with AnyConnect 4.4 and ISE Compliance module 4.x for VPN.

Everything works as expected except for something that i am not sure if we're missing something or this is what the system can do.

When we do client provisioning for the additional modules (Anyconnect ISE compliance module) and not ASA it seems that when you initially connect on the VPN it can not happen automatically and transparently as is it if you do it on the ASA. The only way the provisioning of the additional modules is actually triggered is via ISE Web provisioning portal, when the client is automatically redirected by the ASA thanks to the redirect ACL pushed by the ISE.

It works, but its kind of semi-manual. The user experience is much smoother if you configure provisioning of the additional modules from the ASA, because the process starts immediately and fully automatically and transparently right after VPN is up.

So my question is - If the user that connects has only AnyConnect client without any additional modules - is there a way to setup the ISE provisioning process to start automatically and transparently when the AnyConnect user connects to the VPN without the need for the user to click on the ISE Web provisioning portal, downloading and starting the downloader tool?