The options Enforce and Deny are the only boolean options for the built in isolation networks
Deny--no further processing is done
Enforce ---> further processing and VLAN assignment will be done according to port group membership
To develop different Authentication, Endpoint Complaince, Network Access Policies based on attributes , you can do that by creating different User Host Profiles with the required attributes and then map this UHP to your Policies
That would be the solution, but unfortunately there is no way to do it so, since the state based enforcement takes precedence over policy based access. Means when you have a host in state "Authentication" it will be dropped in the VLAN defined for "Authentication" network in Switch "model configuration" whatever is the profile that it may match.
My objective is simple.. Lets define few attributes first..
- Corp host : Host having FNAC persistent agent, specific OS, specific AV and so
- Guest host : Host with any other attibutes
My objective here is not to put Corp hosts and Guest hosts in the same authentication network when they are in authentication state, 1st because Guest hosts are not secure, 2nd because Corp hosts must have extra access to some resources even when in authentication state.