Thanks guys. I understand the implications of caching posture tokens for extended times and have explained that to the end users. They would like to error on the side of usability.
The real issue is their device doesn't support any kind of CoA or ability to re-auth the session, so you have to use the agent bounce and then you obviously lose connectivity no matter what. This happens on every session. Maybe there's a better to do this? I don't have screen caps and I'm not onsite now but here's my logic in the service:
If computer AND posture NOT EQUALS healthy --> quarantive vlan enforcement profile
OnGuard web service
If SHV passes all checks --> posture = healthy --> Agent bounce enforcement
If SHV fails one of more --> posture = quarantine --> Agent bounce enforcement
I'll get some screen caps tomorrow when I'm back onsite but is there a better / recommended way to do this?