Dear MHM,

Thanks for Reply but customer want to block outside network using ISE Anyconnect agent is it possible without Firewall.

If user connect laptop on the corporate LAN it is working fine and same laptop user should not able to connect to other home wifi or any network.

@irshadkal if I understand your question correctly, you want to block your devices with AnyConnect from connecting to a home network? You could use the AnyConnect NAM module (if licensed) to permit access to trusted networks only and deny others.

That is not something you can do with ISE because ISE has no idea of what the endpoint is trying to connect. ISE simply put can return attributes to be associated to the endpoint or users sessions, however, the authentication requests have to go to ISE in the first place and then ISE will return the authorization attributes after the authentication has passed but this is not the case here. You can leverage NAM as suggested by @Rob Ingram which allows you to restrict the network profiles based on the company policies. Another thing you might be able to do is to disable the dot1x fallback from the endpoints dot1x supplicant config, but this would be applicable only if you have dot1x implemented in your network. You can find this option in the supplicant authentication tab and it's called "Fallback to unauthorized network access".

The option that would restrict the users from interacting with the network settings you configure in NAM profile should be in the "Client Policy" tab under "End-user Control" section, it should be called "Disable Client". That should not be ticked.