It all depends on what you mean by "check continuously" because this is a setting which can be set. Though I doubt anyone would set it so low that it would be checking all the time. Everyday or so is usually good enough, unless you notice a higher than normal number of problems on your network.
This is taken directly from the Cisco NAC Appliance Field Q&A:
"Yes. The administrator can set the length of time after which all users on the certified devices list will need to be rescanned. Most customers require rescanning between once daily and once weekly. Administrators can also manually reset the certified devices list in the event of high worm and virus activity."
The "Silent" Posture assessment sounds like a great feature request. Unfortunately, here is what the documentation states:
"In most OOB deployments (except L2 OOB Virtual Gateway where the Default Access VLAN is the Access VLAN in Port profile), the client, after posture assessment, needs to acquire a different IP address from the Access VLAN."
I don't see anyway around having end users go through the authentication/posture assessment again.
You are correct that in OOB mode end users have the ability to do something "nasty" after they have been allowed on the network.
I suppose another layer of security is what is needed in these cases, like a Cisco Security Agent to prevent Day Zero attacks.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...