Hi team, Trying to find some validation/documentation around this solution: ISE: 2.6 VPN: 4.5&4.7 AnyConnect with ISE Posture/Compliance module MFA: Microsoft's MFA Authentication System: Windows10   Desired solution outcome A) User will login into windows10 PC using AD credentials and Microsoft's MFA. When successful login - initiate VPN AnyConnect client to automatically use the AD credentials  entered to login into the PC and automatically login / initiate VPN and its Posture modules (currently done via compliance module using ISE). Basically SSO solution.   Desired solution outcome B) Computer boots up and AnyConnect 4.7 initiates VPN Management Tunnel (feature of 4.7) connection to HQ and connects to AD. At the same time while system is connected via Management Tunnel, it may contacted by SCCM and other tools on the HQs management network and system/application patches can be pushed to PC as needed. At some point user will LOGIN to the PC using AD credentials and Microsoft's MFA. When this happens - then the VPN Management Tunnel is disconnected and AnyConnect user connection (again with cached credentials) (Single-Sign-ON) is initiated and auto connected this time as USER to HQ's VPN.   Looking for validation, issues, challenges and support for these outcomes.   Appreciate your feedback!       ... View more

Hey team ISE: 2.3 VPN: 4.7   Any one aware of possibility of first connecting to the network via VPN as user and have compliant assumed status (meaning user will have full access) THEN start the compliance check (in background) - if it comes back as not compliant, switch the user from full to noncompliant access.   Right now when posture is run on VPN you have the posture unknown state which is the REDIRECT ACL on ASA to allow users hit ISE PSNs. I'm wondering if there is a way to not redirect only the module when it needs to talk to the PSN but allow users fully on DURING the posture scan.   Thanks!     ... View more

Question on the new feature in 4.6 Management VPN Tunnel. Is there anyway to integrate this with ISE Posture/Compliance module? Example - only pre-connect PC via Anyconnect Management VPN Tunnel IF that PC has latest patches. Just like you could do with user initiated VPN tunnels.   Thanks ... View more