I have an issue with MAC’s. Currently, I have VPN posturing setup with my Anyconnect client, ISE posture client, and Compliance module pointing to ISE.
We are in a split-tunnel setup.
Upon initial connection, Posturing happens fine. My machine is marked as "compliant." When I disconnect, my posture module stays "compliant." When I reconnect, it does NOT try to re-evaluate my posture status. and ISE thinks it's in the unknown state.
If I go to an internal page, I get redirected to ISE. And when that happens, my posture module still doesn't re-evaluate.
If I change my VPN to tunnel-all, it works fine.
enroll.cisco.com's IP has been added to my split tunnel. I also have ALL DNS going through the tunnel.
Is tunnel-all a requirement?