Hi,
I am deploying AnyConnect 4.5.04029 at customer location for posturing. My query is:
Even though I disable the posture Authz policies that would contain Web redirection, the posture module runs and scans the system. So, for example, if I have a policy that says "dot1x" then "permit access" and if I have the posture module, it still runs the scan which is not expected behaviour, because there is no Web redirection enabled at all
Steps performed:
1) Disable client provisioning policy - If I do this, then on posture module I get message "Bypassing AnyConnect Scan. Your network is configured to use Cisco NAC Agent". Ideally it should be "Policy Server not detected. Default network access is in effect"
2) As soon as I enable client provisioning policy, it goes for posture and sends report as well.
3) I also observed that when it runs the scan without web redirection AuthZ profile, it does not honor Audit mode as well. If machine is non-compliant, remediation is attempted in spite of posture being in audit mode
4) It is observed for both wired and wireless
Worked with TAC and as per TAC, it is expected behaviour beginning with ISE 2.2. I do not see this behaviour mentioned anywhere by Cisco.
Would appreciate if anyone can share their thoughts. Thank you!