I am currently deploying ISE 2.3 with posture (Lets call it Deployment A) and we have some employees that have to VPN(AnyConnect) in to another organization (Deployment B) that is also running ISE posture.
Previously when they connected to Deployment B before we installed the posture agent on their machine they would connect no problem, no posturing was taking place. Once the posture agent for Deployment A was installed they are now failing posture in Deployment B and are not able to VPN in because the Deployment B ISE servers were not trusted.
I have tried a couple options:
Add Deployment B servers in the allowed server list. This is messy as it downloads the Deployment B Posture config, then when returning back they are now locked out because Deployment B's config is not trusting Deployment A's ISE server. Deployment B could add Deployment A's servers as trusted, but evey time they switch between them they download a new config.
Exempt these employees from Posture for Deployment A, also not something we want to do.
Require the users to use a local VM to connect to Deployment B, also not a good option as many of these users are not tech savvy.
Have Deployment B exempt these users from posture, they were not being postured before they had the agent so it is no different now.
Is there any other options that could take place without Deployment B having to make changes on their end?