Cisco ISE Compliance

How To Upgrade and Deploy the

AnyConnect and NAC Agents with ISE

Author: Imran Bashir

 SECURE ACCESS HOW-TO GUIDES

Table of Contents
Introduction 4
What Is the Cisco TrustSec System? .............................................................................................................. 4
About the TrustSec How-To Guides ................................................................................................................ 4
Sample Topology used to write this guide ......................................................................................................................... 5
Lab IP Addresses and VLANs............................................................................................................................................... 6
Internal IP Addresses ................................................................................................................................ 6
Internal VLANs and IP Subnets ................................................................................................................ 6
Introduction to ISE Endpoint Compliance Services and Configuration Workflow ....................................................... 7
Exercise Description......................................................................................................................................... 7
Configure and Deploy Client Provisioning Services......................................................................................................... 9
Exercise Description......................................................................................................................................... 9
Exercise Objective ............................................................................................................................................ 9
Lab Exercise Steps........................................................................................................................................... 9
Define Authorization Policy for Client Provisioning and Posture Compliance........................................................... 15
Exercise Description....................................................................................................................................... 15
Exercise Objective .......................................................................................................................................... 15
Lab Exercise Steps......................................................................................................................................... 16
Test and Monitor Client Provisioning Services for NAC Web Agent............................................................................ 24
Exercise Description....................................................................................................................................... 24
Exercise Objective .......................................................................................................................................... 24
Lab Exercise Steps......................................................................................................................................... 24
Test and Monitor Client Provisioning Services for AnyConnect Unified Agent ......................................................... 29
Exercise Description....................................................................................................................................... 29
Exercise Objective .......................................................................................................................................... 29
Lab Exercise Steps......................................................................................................................................... 29
Configure an Anti-Virus Posture Policy ............................................................................................................................ 35
Exercise Description....................................................................................................................................... 35
Exercise Objective .......................................................................................................................................... 35
Lab Exercise Steps......................................................................................................................................... 36
OPTIONAL: Configure a Secure Screen Saver Posture Policy ..................................................................................... 40
Exercise Description....................................................................................................................................... 40
Exercise Objective .......................................................................................................................................... 40
Lab Exercise Steps......................................................................................................................................... 40
Test Posture Assessment and Posture Policies using AnyConnect Unified Agent .................................................. 45
Exercise Description....................................................................................................................................... 45
Exercise Objective .......................................................................................................................................... 45
 SECURE ACCESS HOW-TO GUIDES

Lab Exercise Steps......................................................................................................................................... 45

Test Posture Assessment and Posture Policies using NAC Web Agent ..................................................................... 54
Exercise Description....................................................................................................................................... 54
Exercise Objective .......................................................................................................................................... 54
Lab Exercise Steps......................................................................................................................................... 54
Monitor and Report on Posture Services ......................................................................................................................... 61
Exercise Description....................................................................................................................................... 61
Exercise Objective .......................................................................................................................................... 61
Lab Exercise Steps......................................................................................................................................... 61
 SECURE ACCESS HOW-TO GUIDES

Introduction
What Is the Cisco TrustSec System?
Cisco TrustSec®, a core component of the Cisco SecureX Architecture™, is an intelligent access control solution.
TrustSec mitigates security risks by providing comprehensive visibility into whom and what is connecting across the
entire network infrastructure, and exceptional control over what and where they can go.
TrustSec builds on your existing identity-aware access layer infrastructure (switches, wireless controllers, and so on).
The solution and all the components within the solution are thoroughly vetted and rigorously tested as an integrated
system.
In addition to combining standards-based identity and enforcement models, such as IEEE 802.1X and VLAN control,
the TrustSec system it also includes advanced identity and enforcement capabilities such as flexible authentication,
Downloadable Access Control Lists (dACLs), Security Group Tagging (SGT), device profiling, posture assessments,
and more.

Ingress Enforcement RADIUS

Wireless Guest Services
user Posture
Profiler

SXP
y
rit ag
cu T
Se oup
Gr
Campus
Wired Network
user Gr Sec
MACsec ou uri
p ty
Ta
g

Data Center
Ingress Enforcement

Egress Enforcement

Figure 1.

About the TrustSec How-To Guides

The TrustSec team is producing this series of How-To documents to describe best practices for TrustSec deployments.
The documents in the series build on one another and guide the reader through a successful implementation of the
TrustSec system. You can use these documents to follow the prescribed path to deploy, or simply pick the single use-
case that meets your specific need.
SECURE ACCESS HOW-TO GUIDES

Sample Topology used to write this guide

 SECURE ACCESS HOW-TO GUIDES

Lab IP Addresses and VLANs

Internal IP Addresses
Device Name/Hostname IP Address

Access Switch (3650) 3k-access.demo.local 10.1.100.1

Data Center Switch (3560X) 3k-data.demo.local 10.1.129.3

Wireless LAN Controller (virtual) wlc.demo.local 10.1.100.61

Wireless Access Point (2602i) ap.demo.local 10.1.90.x/24 (DHCP)

ASA (5515-X) asa.demo.local 10.1.100.2

ISE Appliance ise-1.demo.local 10.1.100.21

AD (AD/CS/DNS/DHCP) ad.demo.local 10.1.100.10

Mail mail.demo.local 10.1.100.40

NTP Server ntp.demo.local 128.107.212.175

Tools tools.demo.local 128.107.210.137

LOB Web lob-web.demo.local 10.1.129.12

Admin (Management) Client admin.demo.local 10.1.100.6

(also FTP Server) ftp.demo.local

Windows 7 Client PC w7pc-guest.demo.local 10.1.50.x/24 (DHCP)

Internal VLANs and IP Subnets

VLAN VLAN Name IP Subnet Description

10 ACCESS 10.1.10.0/24 Authenticated users or access network using ACLs

20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L3 segmentation)

(29) 10.1.29.0/24 Interconnect subnet between ASA and Access switch

30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant devices (L3 segmentation)

40 VOICE 10.1.40.0/24 Voice VLAN

50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest users

90 AP 10.1.90.0/24 Wireless AP VLAN

98 ISE.LOCAL 10.1.98.0/24 AD domain – ise.local

99 LAB.LOCAL 10.1.99.0/24 AD domain – lab.local and sam.lab.local

100 Management 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, etc.)

129 WEB 10.1.129.0/24 Line-of-business Web servers

130 DB 10.1.130.0/24 Line-of-business Database servers

 SECURE ACCESS HOW-TO GUIDES

Introduction to ISE Endpoint Compliance Services and

Configuration Workflow
Exercise Description
In this section we will review the overall workflow for configuring ISE Endpoint Compliance Services including
Client Provisioning, Posture Policy, and Authorization Policy for posture compliant access.

Step 1 Review the diagram below which outlines the main steps in configuring ISE Posture Services.

Step 2 Note that the Posture Services workflow is comprised of three main configuration sections:
1. Client Provisioning
2. Posture Subscription and Policy
3. Authorization Policy
The diagram depicts the logical grouping of configuration tasks under each section.

Note: The numbers in the diagram indicate the order in which you will complete the tasks in this lab. Although in
practice an administrator may choose to complete the Posture Policy section before configuring the Authorization
Policy, in this lab we will first validate Client Provisioning without any specific posture policies configured before
configuring and applying specific posture requirements. Also, since the download of posture updates (pre-built
checks and rules for assessment including Windows and AV/AS) may take a while to download, that step is
moved to the beginning of the lab to ensure the required files are present at the start of the Posture Policy lab
exercise.
 SECURE ACCESS HOW-TO GUIDES

Step 3 Understanding Posture Services:

Client Provisioning: In order to perform posture assessment and determine the compliance state of an
endpoint, it is necessary to provision a client, or agent, to the endpoint. ISE Agents can be persistent
whereby the agent is installed and is automatically loaded each time a user logs in. ISE Agents can also be
temporal whereby a Web-based agent is dynamically downloaded to the user upon each new session and
then removed following the posture assessment process. AnyConnect agent is also responsible for
facilitating remediation and providing an optional Acceptable Use Policy (AUP) to the end user.
Therefore, one of the first steps in the workflow is to retrieve the agent files from the Cisco website and to
create policies that determine agent and configuration files downloaded to endpoints based on their
attributes, for example, user identity and client OS type.
Posture Policy: Defines the set of requirements for an endpoint to be deemed “Compliant” based on file,
registry, process, application, Windows, and AV/AS checks and rules. Posture policy is applied to
endpoints based on defined set of conditions such as user identity and client OS type. An endpoint’s
compliance (posture) status can be one of the following:
Step 4 Unknown (no data collected to determine posture state)
Step 5 NonCompliant (posture assessment performed and one or more requirements failed)
Step 6 Compliant (compliant with all mandatory requirements)
Step 7 Posture requirements are based on a configurable set of one or more conditions. Simple Conditions include
a single assessment check. Compound Conditions include a logical grouping of one or more Simple
Conditions. Each requirement is associated with a remediation action that assists endpoint to satisfy the
requirement, for example, an AV signature update.
Step 8 Authorization Policy: Defines the levels of network access and optional services to be delivered to an
endpoint based on posture status. Endpoints that are deemed “not compliant” with Posture Policy may be
optionally quarantined until the endpoint becomes compliant. During this phase, a typical Authorization
Policy may limit a user’s network access to posture and remediation resources only. If remediation by the
agent or end user is successful, then the Authorization Policy can grant privileged network access to the
user. Policy is often enforced using downloadable ACLs (dACLs) or dynamic VLAN assignment. This lab
uses dACLs for endpoint access enforcement.
Step 9 Understanding Lab Configuration Workflow:
Step 10 In this lab, you will download both persistent (AnyConnect (AC) Unified Agent) and temporal (Web
Agent) agent files to ISE and define client provisioning policies that require Employees to download the
AC Unified Agent and Guest users to download the Web Agent. Note: Employees will be authenticated
using 802.1X; Guest users will be authenticated using Central Web Authentication (CWA).
Step 11 Before configuring posture assessment policies and requirements, we will update the Authorization policy
to apply Authorization Profiles to Employees and Guests that are flagged “not compliant”. The
Authorization Profile will use a new dACL that we create to limit access to posture and remediation
resources. Employees and Guest users flagged “compliant” will be allowed regular network access. Once
configured, we can test client provisioning services. Since no Posture Policy has been configured, these
users should be allowed access once the agent successfully loads and sends its report to ISE.
Step 12 Once Client Provisioning services have been verified, posture requirements will be configured to check for
Antivirus being installed and signatures up to date. Another requirement will be configured based on
registry checks to verify the client has a screen saver enabled and is set to require a password to access a
desktop once activated.
Step 13 Testing will be conducted using both AC Unified Agents for Employees and Web Agents for Guest Users.
 SECURE ACCESS HOW-TO GUIDES

Configure and Deploy Client Provisioning Services

Exercise Description
Client provisioning allows ISE administrators to centrally configure and deploy client software to network users such
as posture agents and configuration files. This lab exercise covers how to download client software from Cisco to the
ISE appliance and how to configure policies to automatically deploy the AnyConnect Unified Agent and Web Agent.
Creation and deployment of an AnyConnect ISE Posture profile is also addressed in this exercise.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

• Complete general system settings to support Client Provisioning and Posture Services
• Download AV/AS support files for use in posture assessment and policies
• Download client agent software to deploy to the lab client
• Create an AnyConnect ISE Posture profile to deploy to the lab client
• Define a Client Provisioning Policy to deploy agents based on user identity and client OS
The diagram highlights the key tasks covered in this exercise including System Settings, Download of Dynamic
Updates and CPP Packages, Agent Profiles and CPP Policy:
 SECURE ACCESS HOW-TO GUIDES

Lab Exercise Steps

Step 14 Access ISE admin web interface
Step 15 Launch the Mozilla Firefox web browser on the admin client PC and enter the address https://ise-
1.demo.local
Step 16 Login with username admin and password ISEisC00L
Step 17 (Accept/Confirm any browser certificate warnings if present)
Step 18 The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.
Step 19 Download pre-built posture checks for AV/AS and Microsoft Windows.
Step 20 Navigate to Administration > System > Settings
Step 21 Click the icon to the left of Posture in the left-hand pane to expand the contents of the Posture settings,
and then click Updates. The Update Information in the bottom right-hand pane displays the last time
Posture updates took place.
Step 22 Review and add a check mark to Automatically Check for updates starting from initial delay as shown
below:

¤ Web

Update Feed URL:

https://www.cisco.com/web/secure/pmbu/posture-
update.xml
Proxy Address:
Proxy Port:
þ Automatically check for updates starting from initial delay … every 24 hours

Step 23 Click the Save button.

Step 24 Click Update Now to run it immediate.

Note: You may proceed to next steps while the update is running.

Step 25 Configure general settings for agent behavior:

Step 26 Select General Settings from the left-hand pane under the Posture settings. Review the default values for
Remediation Timer, Network Transition Delay, and Default Posture Status.
Step 27 Check (enable) the checkbox þ to “Automatically Close Login Success Screen After” and set time to 5
seconds. This option does not apply to AnyConnect ISE Posture Module.
Step 28 Posture Lease is new in ISE 1.3. It controls posture assessment at re-authentications. For example, a user
needs not posture again after disconnecting from network in the office and then reconnecting in the
conference room.
Step 29 For this lab, we are NOT enabling the posture lease in order to exercise variations of posture policy.

Posture General Settings

Remediation Timer 4 Minutes
Network Transition Delay 3 Seconds
Default Posture Status Compliant
þ Automatically Close Login 5 Seconds
Success Screen After

Posture Lease
¤ Perform posture assessment every time a user connects to the network

[ ] Perform posture assessment every 1 Days

Step 30 Click Save.
 SECURE ACCESS HOW-TO GUIDES

Note: The posture agent profiles may be used to override these global settings.

Step 31 Configure an Acceptable Use Policy for ISE Posture.

Step 32 Select Acceptable Use Policy from the left-hand pane under the Posture settings.
Step 33 Click Add. Enter the following values for the new AUP policy:

* Configuration Name aupAnyUser

Configuration Description Simple Acceptable Use Policy

Show AUP to Agent Users [þ

(¤) Use URL for AUP message

( ) Use file for AUP message

AUP URL / AUP File http://updates.demo.local/AUP.html

(Case
Sensitive)
* Select User Identity Groups Any
Step 34 Click [ Submit ] when finished.
Step 35 ISE Offline Upload AnyConnect and NAC Web Agent files.
Step 36 Open a new tab in Firefox to http://tools.demo.local/cp/ and download the following files by right-click and
Save Link As… to the Downloads folder.
Step 37 anyconnect-win-4.0.00048-k9.pkg
Step 38 anyconnect-win-compliance-3.6.9492.2.pkg
Step 39 anyconnect-VPN-disable.xml
Step 40 anyconnect-NAM-EAP-FAST.xml
Step 41 webagent-4.9.5.2-isebundle.zip
Step 42
Step 43 Back to ISE admin web UI, go to Policy > Policy Elements > Results and click the icon to left of Client
Provisioning to expand its contents.
Step 44 Select Resources in the left-hand pane.
Step 45 For each of the following files:
Step 46 anyconnect-win-4.0.00048-k9.pkg
Step 47 anyconnect-win-compliance-3.6.9492.2.pkg
Step 48 webagent-4.9.5.2-isebundle.zip
Step 49
Step 50 From the right-hand pane, click Add then click Agent Resources from local Disk from the drop-down list.
Select Cisco Provided Packages from Category drop-down.
Step 51 Browse... to C:\Users\admin\Downloads\, select the file to Open, Submit, and Confirm the checksum for.
Step 52
Step 53 CLIENT PROVISIONING FILE REFERENCE:
Step 54 AnyConnectDesktopWindows: AnyConnect ISE Posture module for Windows.
Step 55 AnyConnectDesktopOSX: AnyConnect ISE Posture module for OSX.
Step 56 Compliance Module(s): AnyConnectComplianceModuleOSX, AnyConnectComplianceModuleWindows are
compliance modules that provide updates to AV/AS vendor support for AC ISE Posture Module.
Step 57 AnyConnect ISE Posture Profiles: Configuration files for AnyConnect ISE Posture Module.
 SECURE ACCESS HOW-TO GUIDES

Step 58 Create an AnyConnect posture profile for Windows clients.

Step 59 From the right-hand pane, click Add then select [ NAC or AnyConnect Posture Profile ] from the drop-
down list.
Step 60 In ISE Posture Agent Profile Settings > New Profile, click on drop down arrow for Select a Category and
then select AnyConnect
Step 61 Enter the following values for the new Agent profile. When finished, click Submit.
Step 62

ISE Posture Agent Profile Settings The defaults should work for most cases. Changed items are highlighted. See ISE
User Guide, Release 1.3 for more info on Agent Profile Parameters and Applicable
Values.
AnyConnect
* Name: acPostureWinProfile
Description: AnyConnect ISE Posture Profile for Windows clients

Agent Behavior
Parameter Value Notes Description
Enable debug log No Enables the debug log on the agent
Operate on non-802.1X No Enables the agent to operate on non-
wireless 802.1X wireless networks.
Enable signature check No OSX: N/A Enables signature checking of
executables before the agent will run
them.
Log file size 5 MB The maximum agent log file size
Remediation timer 4 mins The default is empty which The time the user has for remediation
means use the global setting. before they will be tagged as non-
The default of global setting is 4. compliant

IP Address Change
Parameter Value Notes Description
Enable agent IP refresh Yes Enables VLAN change detection Sets the Vlan change detection flag on
the server, to transmit the configured
dhcp release delay, and the dhcp renew
delay values from the server to the client.
VLAN detection interval 0 secs 0 means VLAN detection is The interval at which the agent will check
disabled for a VLAN change
Ping or ARP Ping Ping timeout.
Maximum timeout for ping 1 secs
DHCP renew delay 1 secs
DHCP release delay 4 secs
Network transition delay 3 secs The default is empty which The period for which the agent suspends
means uses the global setting. network monitoring so it can wait for a
The default of global setting is 3. planned IP change to happen

Posture Protocol
Parameter Value Notes Description
PRA retransmission time 120 secs This is the agent retry period if there is a
Passive Reassessment communication
failure
Discovery host biz.demo.local The server that the agent should connect
to
* Server name rules * need to be blank by default to A list of wildcarded, comma-separated
force admin to enter a value. "*" names that defines the servers that the
means agent will connect to all agent can connect to. E.g. "*.cisco.com

Note: Discovery host set to biz.demo.local shows that it can be any site that may trigger URL redirect to ISE by the
redirect ACL so needs not be an ISE node.

Step 63 Configure an AnyConnect VPN profile to hide the VPN tile in AnyConnect GUI.
 SECURE ACCESS HOW-TO GUIDES

Note: We need a VPN profile in order not to show AnyConnect VPN module tile on the client machine.
Ref: CSCur22131: Discrepancy with VPN module appearing on client when it is de-selected

Step 64 Click Add then Category Customer Created Packages click

Agent Resources
Type AnyConnect Profile
from local Disk from the
drop-down list. Name acVPNdisableProfile
Step 65 Description Disable/hide VPN tile.
Step 66
Step 67
Step 68

Step 69 Browse to C:\Users\admin\Downloads\

Step 70 Select anyconnect-VPN-disable.xml
Step 71 Click Submit to save changes. Confirm when prompted for SHA1 hash match.
Step 72 Upload NAM profile to ISE.
Step 73 Click Add then Agent Resources from local Disk from the drop-down list.

Category Customer Created Packages

Type AnyConnect Profile
Name acNAMProfile
Description Configure AnyConnect NAM for EAP-FAST.
Step 74 Browse to C:\Users\Admin\Downloads\
Step 75 Select anyconnect-NAM-EAP-FAST.xml
Step 76 Click Submit to save changes. Confirm when prompted for SHA1 hash match.
Step 77 Create an AnyConnect configuration profile for Windows clients.
Step 78 From the right-hand pane, click Add then select AnyConnect Configuration from the drop-down list.
Step 79 Under AnyConnect Package, click on drop down arrow for Choose a Package and then select
AnyConnectDesktopWindows 4.0.48.0
Step 80 Enter the following values for the new Agent Configuration. When finished, click [ Submit ] to save the
changes.

* AnyConnect Package: AnyConnectDesktopWindows 4.0.48.0

* Configuration Name: acConfigWin
Description: AnyConnect agent configuration for Windows
* Compliance Module Anyconnect-win-compliance-3.6.9492.2
AnyConnect Module Selection
ISE Posture
VPN
Network Access Manager
Web Security
ASA Posture
Start Before Logon
Diagnostic and Reporting Tool

Profile Selection
ISE Posture acPostureWinProfile
VPN acVPNdisableProfile
acNAMProfile
 SECURE ACCESS HOW-TO GUIDES

Network Access -
Manager
-
Web Security
Customer Feedback

Step 81 Define Client Provisioning Policy for Employees and Guest users
Step 82 Go to Policy à Client Provisioning.
Step 83 Add two new Client Provisioning rules per the following table values, and then [ Save ].
Step 84 To add a new policy, point to the right and select the Edit drop down and select Insert New Policy below.
Step 85

Rule Name ID Groups OS Conditions Results

Employee WinAll Any Windows All demoAD.local:ExternalGroups Agent Configuration
EQUALS demo.local/HCC/Groups/Employees Agent: acConfigWin

Guest WinAll Any Windows All Network Access:UseCase Agent Configuration

EQUALS Guest Flow Agent: WebAgent 4.9.5.2

Note: Be sure to Save Client Provisioning Policy!

Step 86 Configure Guest Portal to go through posture checks

Step 87 Go to Guest Access à Configure à Guest Portals
and click on Self-Registered Guest Portal (default)
hyperlink.

Note: If Error code WAP00008 is received, refresh the web

page and click on the portal links again. --
CSCuq43931

Step 88 Scroll down to Guest Device Compliance Settings.

Check [ þ Require guest device compliance ] as shown.
Step 89
Step 90
Step 91
Step 92
Step 93
Step 94 Click Save when finished.
Step 95 Configure Retry URL for timing-out at Guest / Client Provisioning Portals
Step 96 Go to Administration à Device Portal Management à Settings
Step 97 Expand on Retry URL
Step 98 Set the value as below:

Retry URL for onboarding: http://www.cisco.com

Step 99 [ Save ] once done.
Step 100
Step 101
 SECURE ACCESS HOW-TO GUIDES

Define Authorization Policy for Client Provisioning and

Posture Compliance
Exercise Description
The Authorization Policy sets the types of access and services to be granted to endpoints based on their attributes such
as identity, access method, and compliance with posture policies. This exercise includes modifications to an existing
Authorization Policy to ensure that endpoints that are not posture compliant are quarantined (granted limited access
sufficient to provision agent software and to remediate failed requirements), and that only posture compliant endpoints
are granted privileged network access.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

• Define a Downloadable ACL (dACL) that restricts network access for endpoints whose compliance state is
either Unknown or NonCompliant.
• Define a new URL Redirect ACL on the access switch to ensure that general http/https traffic is redirected to
the ISE Policy Service node while allowing access to remediation servers.
• Define new Authorization Profiles for 802.1X and web-authenticated users that apply the “quarantine” dACL
and Redirect ACL to redirect endpoints to provisioning and posture services.
• Add new rules to the Authorization Policy that leverage the new Authorization Profiles to quarantine, assess
posture, and remediate endpoints that are not posture compliant.
• Update existing Authorization Policy rules such that privileged network access is based on posture
compliance.
The diagram highlights the key tasks covered in this exercise including Authorization Profiles, their component
dACLs, and Authorization Policy:

•
 SECURE ACCESS HOW-TO GUIDES

Lab Exercise Steps

Step 102 Access the admin interface of the ISE Administrative node.
Step 103 Go to the Admin client PC and launch the Mozilla Firefox web browser. Enter the following URL in the
address field:
Step 104 https://ise-1.demo.local
Step 105 Login with username admin and password ISEisC00L
Step 106 (Accept/Confirm any browser certificate warnings if present)
Step 107 Define a dACL that restricts network access for endpoints that are not posture compliant.
Step 108 Go to Policy à Policy Elements à Results and click icon to left of Authorization (or double-click
Authorization) to expand its contents.
Step 109 Select Downloadable ACLs from the left-hand pane.
Step 110 Click Add from the right-hand pane under DACL Management and enter the following values for the new
dACL:

Note: Copy-and-paste the DACL content from http://tools.demo.local/cp/DACL_POSTURE_REMEDIATION.txt

* Name POSTURE_REMEDIATION
Description Permit access to posture and remediation services and deny all
other access. Permit general http and https for redirection only.
* DACL Content permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.1.100.21 eq 8443
permit tcp any host 10.1.100.21 eq 8905
permit udp any host 10.1.100.21 eq 8905
remark below for roadshow pods
permit tcp any host 10.1.100.222 eq 80
remark below for GOLD pods
permit tcp any host 10.1.129.8 eq 80
Step 111
Step 112 The following describes the purpose of individual access control entries (ACEs):

Downloadable ACE Description

permit udp any any eq domain Permit DNS for name resolution
permit icmp any any Permit ICMP for initial troubleshooting
permit tcp any host 10.1.100.21 eq 8443 Permit CWA/CPP to ISE Policy Service node
permit tcp any host 10.1.100.21 eq 8905 Allow Agent discovery direct to Policy Service node
permit udp any host 10.1.100.21 eq 8905 Allow Agent discovery and keep-alives
permit tcp any host 10.1.129.8 eq 80 Explicit allow to remediation server

Step 113 Click Submit when completed.

Step 114
Step 115 Define dACL for AD Login Access
Step 116 Click Add from the right-hand pane under DACL Management and enter the following values for the new
dACL:

Note: Copy-and-paste the DACL content from http://tools.demo.local/cp/DACL_AD_LOGIN_ACCESS.txt

* Name AD_LOGIN_ACCESS
 SECURE ACCESS HOW-TO GUIDES

Description Employee AD Access

* DACL Content permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq ntp
permit tcp any host 10.1.100.10 eq 135
permit udp any host 10.1.100.10 eq netbios-ns
permit tcp any host 10.1.100.10 eq 139
permit tcp any host 10.1.100.10 eq 389
permit udp any host 10.1.100.10 eq 389
permit tcp any host 10.1.100.10 eq 445
permit tcp any host 10.1.100.10 eq 636
permit udp any host 10.1.100.10 eq 636
permit tcp any host 10.1.100.10 eq 1025
permit tcp any host 10.1.100.10 eq 1026

Step 117
Step 118 Define dACL for Guest Access
Step 119 Click Add from the right-hand pane under DACL Management and enter the following values for the new
dACL:

Note: Copy-and-paste the DACL content from http://tools.demo.local/cp/DACL_GUEST_INTERNET.txt

* Name INTERNET_ONLY
Description Internet Access
* DACL Content permit udp any any eq domain
permit icmp any any
permit tcp any host 10.1.100.21 eq 8443
deny ip any 10.1.0.0 0.0.255.255
permit ip any any

Step 120
Step 121 Review URL Redirect ACL on the access switch.
Step 122 From the Admin client PC, use the desktop shortcut for the PuTTY to launch a terminal session to the
3k-access switch using the credentials admin / ISEisC00L.
Step 123 Enter the following command at the access switch exec shell prompt to verify the contents of the ACL:

3k-access# show ip access-lists ISE-URL-REDIRECT

Extended IP access list ISE-URL-REDIRECT
5 deny tcp any host 10.1.129.8 eq www
10 permit tcp any any eq www

Step 124
Step 125 Authorization Profiles will reference this ACL and work in conjunction with the accompanying dACL
applied to the switchport interface.
Step 126 In the example URL Redirect ACL above, the entry marked “deny” will not redirect the specified packets.
This is for traffic specifically destined to the remediation server.
Step 127
Step 128 Define a new Authorization Profile Posture Remediation that leverages both the new dACL for port
access control and the URL Redirect ACL for traffic redirection.
Step 129 Return to the ISE admin interface from the Admin client PC.
 SECURE ACCESS HOW-TO GUIDES

Step 130 Click Authorization Profiles from the left-hand pane under Policy > Policy Elements > Results >
Authorization.
Step 131 Click Add from the right-hand pane and enter the values for the Authorization Profile as shown below.

Name Posture Remediation

Description Permit access to posture and remediation services; redirect
traffic to client provisioning and posture services.
Access Type ACCESS_ACCEPT
þ DACL
Name POSTURE_REMEDIATION

þ Web
Client Provisioning (Posture)
Redirection
ACL: ISE-URL-REDIRECT
(CWA,
Value: Client Provisioning Portal (default)
MDM, NSP,
CPP) [ ] Static IP/Host name

Step 132 The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT

DACL = POSTURE_REMEDIATION
cisco:cisco-av-pair=url-redirect-acl=ISE-URL-REDIRECT
cisco:cisco-av-pair=url-redirect =https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=…&action=cpp

Step 133 Scroll to bottom of page and click Submit to apply your changes.
Step 134
Step 135 Define a new Authorization Profile CWA Posture Remediation that leverages both the new dACL for
port access control and the URL Redirect ACL for traffic redirection.
Step 136 From the left-hand pane under Policy à Policy Elements à Results à Authorization.
Step 137 Click Add from the right-hand pane and enter the values for the Authorization Profile as shown below.

Name CWA Posture Remediation

Description Permit access to posture and remediation services; redirect
traffic to central web auth services.
Access Type ACCESS_ACCEPT
þ DACL
Name POSTURE_REMEDIATION

þ Web Centralized Web Auth

Redirection
(CWA, ACL: ISE-URL-REDIRECT
MDM, NSP, Value: Self-Registered Guest Portal (default)
CPP)
[ ] Display Certificates Renewal Message
[ ] Static IP/Host name

Step 138 The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT

DACL = POSTURE_REMEDIATION
cisco:cisco-av-pair=url-redirect-acl=ISE-URL-REDIRECT
cisco:cisco-av-pair=url-redirect =https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=…&action=cwa
 SECURE ACCESS HOW-TO GUIDES

Step 139 Scroll to bottom of page and click Submit to apply your changes.
Step 140
Step 141 Define a new Authorization Profile for Compliant Employees named Employee that allows complete
access.
Step 142 From the left-hand pane under Policy à Policy Elements à Results à Authorization à Authorization
Profiles.
Step 143 Click Add from the right-hand pane and enter the values for the Authorization Profile as shown below.

Name Employee
Description Full Access
Access Type ACCESS_ACCEPT
þ DACL Name PERMIT_ALL_TRAFFIC

Step 144 The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT

DACL = PERMIT_ALL_TRAFFIC

Step 145 Scroll to the bottom and click Submit to apply your changes.
Step 146
Step 147 Define a new Authorization Profile for AD Login
Step 148 Click Authorization Profiles from the left-hand pane under Policy à Policy Elements à Results à
Authorization.
Step 149 Click Add from the right-hand pane and enter the values for the Authorization Profile as shown below.

Name AD Login
Description Allow machine to login to AD through dot1.x
Access Type ACCESS_ACCEPT
þ DACL Name AD_LOGIN_ACCESS

Step 150 The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT

DACL = AD_LOGIN_ACCESS

Step 151 Scroll to the bottom and click Submit to apply your changes.
Step 152 Define a new Authorization Profile for Guest access which would be used for Guest as well as contractor
access
Step 153 Click Authorization Profiles from the left-hand pane under Policy à Policy Elements à Results à
Authorization.
Step 154 Click Add from the right-hand pane and enter the values for the Authorization Profile as shown below.

Name Guest
Description Allow access to Guest and Contractors
Access Type ACCESS_ACCEPT
 SECURE ACCESS HOW-TO GUIDES

þ DACL Name INTERNET_ONLY

Step 155 The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT

DACL = INTERNET_ONLY

Step 156 Scroll to the bottom and click Submit to apply your changes.
Step 157
Step 158 Enable Policy Sets

Administration à Settings à Policy Sets and select ‘Enabled’

Step 159 Policy set wiredMAB

Step 160 Navigate to Policy à Policy Sets
Step 161 Select Default policy set in the left-hand pane
Step 162 Click on Ë à Create Above
Step 163
Step 164
Step 165 Click Edit on the far right to edit the Policy Name and Conditions

Name wiredMAB
Description -
Select Condition(s) [ Select Existing Condition
from Library ]
à Compound Condition
à Wired_MAB

Step 166

Step 167 Click Done

Step 168
Step 169 Policy set wiredMAB Authentication Policy
Step 170 Expand the Authentication Policy
Step 171 Click Edit for the Default Rule
 SECURE ACCESS HOW-TO GUIDES

Step 172 Select Identity Source à Internal

Endpoints
Step 173 Select Continue for If user not found
Step 174 Click Done
Step 175

S Rule Name Identity Groups Other Conditions Permissions

P Guest Internet Access Any
NetworkAccess:UseCase EQUALS
Guest
Guest Flow
P Default (no matches) CWA Posture Remediation

Step 176 Policy set wiredMAB Authorization Policy

Step 177
Step 178 Collapse Authentication Policy and expand Authorization Policy
Step 179 Insert Guest Internet Acces authorization rule
Step 180 Click the down arrow to the right of Edit of Default Rule and [ insert a new rule above ]

Step 181
Step 182 Enter Rule Name as Guest
i. Click the next to Condition(s)

ii. Choose Condition à Create New Condition (Advance Option)

iii. Select Attribute NetworkAccess à UseCase EQUALS Guest Flow
iv. Click on gear icon and select [ Add attribute/Value ] from the drop-down menu.
v. Select Attribute Session à PostureStatus EQUALS Compliant
vi. Click under Permissions à Select a profile
à Standard à Guest

Step 183 Click Done

Step 184 Update Default rule
Step 185 Click Edit for the Default Rule
Step 186 Click next to DenyAccess à Select a profile
Step 187 à Standard à CWA Posture Remediation
Step 188 Click Done
Step 189 Click [ Submit ] to save policy set wiredMAB
Step 190 Policy set wiredDOT1X
Step 191 Navigate to Policy à Policy Sets
Step 192 Select Default policy set in the left-hand pane
Step 193 Click on Ë à Create Above
Step 194
Step 195
Step 196 Click Edit on the far right to edit the Policy Name and Conditions

Name wiredDOT1X
Description -
Select Attribute [ Select Existing Condition
from Library ]
à Compound Condition
 SECURE ACCESS HOW-TO GUIDES

à Wired_802.1X

Step 197

Step 198 Click Done

Step 199 Policy set wiredDOT1X Authentication Policy
Step 200 Expand the Authentication Policy
Step 201 Click Edit for the Default Rule
Step 202 Select Identity Source à demoAD
Step 203 Click Done
Step 204 Policy set wiredDOT1X Authorization Policy

S Rule Name Identity Groups Other Conditions Permissions

P Domain Computer Any demoAD:ExternalGroups EQUALS AD Login
demo.local/Users/Domain Computers
P Employee Any demoAD:ExternalGroups EQUALS Employee
demo.local/HCC/Groups/Employees
AND
Session:PostureStatus EQUALS Compliant
P Employee Posture Any demoAD:ExternalGroups EQUALS Posture Remediation
Assessment demo.local/HCC/Groups/Employees
AND
Session:PostureStatus NOT_EQUALS Compliant
P Default (no matches) DenyAccess

Step 205
Step 206 Collapse Authentication Policy and expand Authorization Policy
Step 207 Insert Domain Computer authorization rule
Step 208 Click the down arrow to the right of Edit of Default Rule and [ insert a new rule above ]

Step 209 Enter Rule Name as Domain Computer

vii. Click the next to Condition(s)

viii. Choose Condition à Create New Condition (Advance Option)

ix. Select Attribute demoAD à ExternalGroups EQUALS demo.local/Users/Domain Computers
x. Click under Permissions à Select a profile
à Standard à AD Login
xi. Click Done
b. Add Employee authorization rule

Step 210 Click the down arrow to the right of Edit of Domain Computer rule and [ Duplicate Below ]
Step 211 Change Rule Name to Employee
i. Click the under Conditions

Step 212 Update Attribute demoAD à ExternalGroups EQUALS demo.local/HCC/Groups/Employees

ii. Click on gear icon and select [ Add attribute/Value ] from the drop-down menu.
iii. Select Attribute Session à PostureStatus EQUALS Compliant
 SECURE ACCESS HOW-TO GUIDES

iv. Click next to AD Login à Select a profile

à Standard à Employee
v. Click Done

c. Add Employee Posture Assessment authorization rule

Step 213 Click the down arrow to the right of Edit of Employee rule and then [ Duplicate Below ]
Step 214 Update Rule Name as Employee Posture Assessment
i. Click the under Conditions

Step 215 Update the second condition Session:PostureStatus ... and change its operator from EQUALS to
NOT_EQUALS
ii. Click next to Employee à Select a profile
à Standard à Posture Remediation
iii. Click Done

Step 216 Click [ Submit ] to save policy set wiredDOT1X.

Step 217
 SECURE ACCESS HOW-TO GUIDES

Test and Monitor Client Provisioning Services for NAC Web

Agent
Exercise Description
This exercise validates the Client Provisioning and Authorization Policy configuration completed in the previous lab
exercises. Since no Posture Policy has been configured, all users should be posture compliant. The Web Agent will be
tested and monitored in detail in this exercise. In addition to Web Agent provisioning, this exercise will also validate
agent policies such as AUP and auto-closure of login success screens.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

• Login to the secured lab network from a Windows 7 PC client as a Guest user via Central Web-based
Authentication (CWA) and verify Web Agent provisioning.
• Review ISE and switch logs to validate proper operation and application of the Authorization Policy.

Lab Exercise Steps

Step 218 Power OFF VM p##_w7pc-corp if ON
Step 219 Power ON VM p##_w7pc-guest if OFF
Step 220 Console and log into VM w7pc-guest as admin / ISEisC00L.
Step 221 Establish a terminal session with the 3k-access switch and simulate a new network connection from w7pc-
guest connected on port GigabitEthernet1/0/1.

Note: Note: You may need to enable the NIC on the w7pc-guest. Click the w7pc-guest Network Connections short
cut and double-click on w7pc-guest-wired to enable it.

From the Admin client PC, use the desktop shortcut for the PuTTY SSH client to launch a terminal
session to the 3k-access switch from the PuTTY list and login using the credentials admin / ISEisC00L. If
not already in privileged mode, enter enable mode using password ISEisC00L.
To view log messages from the terminal session, enter the terminal monitor command at the switch exec
prompt:

3k-access# terminal monitor

Note: Use the command terminal no monitor if need to disable the monitoring of terminal logging without exiting the
session.

Enter configuration mode for interface GigabitEthernet 1/0/1and enter shut followed shortly by a no shut
command:

3k-access# conf t
Enter configuration commands, one per line. End with CNTL/Z.
3k-access(config)# int gi 1/0/1
3k-access(config-if)# shut
3k-access(config-if)# no shut
 SECURE ACCESS HOW-TO GUIDES

3k-access(config-if)# end
3k-access#

Step 222 If logging to terminal is enabled, a series of log messages should appear on the screen during port shutdown
and re-activation. Enter CTRL+Z or end to exit configuration mode.
Step 223 After issuing the ‘no shut’ command, use the following exec command to view the current authorization
status of interface GigabitEthernet 1/0/1:

3k-access# show authentication sessions interface gi 1/0/1 detail

Note: You can also issue exec-level commands from within configuration mode using the do command. Example:

3k-access(config-if)# do sh auth sess int gi 1/0/1 detail

After approximately 10-15 seconds, the output should appear similar to the following:

3k-access#sh auth sess int g1/0/1 de

Interface: GigabitEthernet1/0/1
IIF-ID: 0x1059000000000A3
MAC Address: 0050.5687.ea65
IPv6 Address: Unknown
IPv4 Address: 10.1.50.201
User-Name: 00-50-56-87-EA-65
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A01640100000FF8513EF2B4
Acct Session ID: 0x00000FE5
Handle: 0xB200003D
Current Policy: POLICY_Gi1/0/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
URL Redirect: https://ise-
1.demo.local:8443/portal/gateway?sessionId=0A01640100000FF8513EF2B4&portal=19b72310-5e4e-11e4-
b905-005056bf2f0a&action=cwa&token=a99a35f1ec4c4975f891a43cc2d17804

URL Redirect ACL: ISE-URL-REDIRECT

ACS ACL: xACSACLx-IP-POSTURE_REMEDIATION-54bf6344

Method status list:

Method State
dot1x Stopped
mab Authc Success

In the above output, note that the dACL (ACS ACL) = POSTURE-REMEDIATION has been pushed to
the interface along with a named URL Redirect ACL = ISE-URL-REDIRECT that defines the traffic to
be redirect to the link specified by URL Redirect. The redirect URL must include the domain name of the
ISE Policy Service node, reference to port 8443, the current session ID, and reference action to cwa (CWA
portal). If any of these items are missing, then web authentication will fail.

Display the current dACL applied to the interface using the command show ip access-lists <ACS-ACL-
name>, where ACS-ACL-name is taken from the output from the previous step.

3k-access#show ip access-lists xACSACLx-IP-POSTURE_REMEDIATION-54bf6344

 SECURE ACCESS HOW-TO GUIDES

Extended IP access list xACSACLx-IP-POSTURE_REMEDIATION-54bf6344 (per-user)

1 permit udp any any eq domain
2 permit icmp any any
3 permit tcp any host 10.1.100.21 eq 8443
4 permit tcp any host 10.1.100.21 eq 8905
5 permit udp any host 10.1.100.21 eq 8905
7 permit tcp any host 10.1.100.222 eq www
9 permit tcp any host 10.1.129.8 eq www

Return to the w7pc-guest PC client and login as a guest user.

From the w7pc-guest PC client, launch the Firefox web browser and enter in cisco.com. The page should
be redirected to the URL specified in the URL Redirect output and display the ISE web authentication
portal.

Click the Don’t have an account? hyperlink from the login portal and enter the following values into the
form, and then click Submit:

User Name jdoe

First Name John
Last Name Doe
Email Address guest@demo.local
Phone Number (optional)
Company GOLD

Person Being Visited (optional)

Reason for Visit Web Agent test

Step 224 Write down the assigned username and password credentials:
Username: _________________________

Password: __________________________

To facilitate login, select and copy the password entry, making sure not to include any extra characters.
Click the OK button.
The web authentication login page again displays. Enter your new Username/Password credentials and
click the Sign On button.
If an AUP was enabled for web authentication, check the box to Accept terms and conditions and then
click Accept. And then click Continue
The Agent download page should appear. Click [ Allow... ] when asked ‘Allow ise-1.demo.local to run
“Java Platform SE 7”?’. Click the Continue button to install Web agent. If asked to update Java, please
click later.

Note: Be cautious of bug CSCuh75971- Issue running applet in Windows or Macintosh OS with latest
java 7 update 25. CSCum76079 Client JAR manifest missing Permissions attribute & blocked by
Java 7u51.

The ISE server certificate is signed by Active Directory Certificate Services but the root CA certificate has
not been installed on the client PC w7pc-guest. Click Yes if prompted with any browser certificate
 SECURE ACCESS HOW-TO GUIDES

warnings. Also, applets may be required to facilitate download of the Web Agent. Click Yes (or Install) if
prompted to install applets as part of Web Agent download and install process.
Notice the yellow bar at the top of the page asking you to allow the install

You may be required to enter in your admin credentials of the machine admin / ISEisC00L. If a security
warning appears please select continue. If this times out just refresh the page.

Step 225 The Cisco NAC Web Agent window should appear and indicate that posture assessment is being
performed. Since no posture policy has been configured yet, the client will pass assessment and the agent
will indicate “Host is compliant with network security policy” as shown below:

Reattempt access to the browser’s home page via the home icon, or else manually enter the address of
www.cisco.com in the address field. Access to the external website should now display.
Step 226 When finished, close the web browser session.
Step 227 Verify the session status on the switchport for Guest authorization.
Step 228 Return to the terminal session on the access switch.
Repeat the show authentication sessions output for interface GigabitEthernet 1/0/1. The output should
appear similar to that shown below:

3k-access#sh auth sessions interface gigabitEthernet 1/0/1 detail

Interface: GigabitEthernet1/0/1
IIF-ID: 0x1059000000000A3
MAC Address: 0050.5687.ea65
IPv6 Address: Unknown
IPv4 Address: 10.1.50.201
User-Name: jdoe
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A01640100000FF8513EF2B4
Acct Session ID: 0x00000FE5
Handle: 0xB200003D
Current Policy: POLICY_Gi1/0/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
ACS ACL: xACSACLx-IP-INTERNET_ONLY-54bf6773

Method status list:

Method State
dot1x Stopped
mab Authc Success

3k-access#show ip access-lists xACSACLx-IP-INTERNET_ONLY-54bf6773

Extended IP access list xACSACLx-IP-INTERNET_ONLY-54bf6773 (per-user)
1 permit udp any any eq domain
2 permit icmp any any
3 permit tcp any host 10.1.100.21 eq 8443
 SECURE ACCESS HOW-TO GUIDES

4 deny ip any 10.1.0.0 0.0.255.255

5 permit ip any any

Note: Note that URL redirection is no longer applied and that the dACL (ACS ACL) named INTERNET_ONLY is applied
to the interface.

Step 229 Verify the authentication/authorization phases of the Central Web Auth and Client Provisioning session
from the ISE admin interface.
From the Admin client PC, access the admin interface of the ISE Administrative node (admin /
ISEisC00L).

Go to Operations à Authentications. View the recent entries associated with the web authentication
session by MAC Address, IP address, interface, or Session ID. It may be help to filter the log entries by
entering a couple bytes of the Session ID or MAC address (Calling Station ID) into the appropriate column
header and hitting Enter. Click the circled x in the field to clear the filter.

Step 230 Referring to the example authentication log below (split across two screens), you should see entries similar
to the following that match the output received from the switch:
Step 231 Successful MAB authentication of the MAC Address (username 00:50:56:B4:01:69 in example) and
Authorization Profile named CWA_Posture_Remediation applied
Step 232 dACL named POSTURE_REMEDIATION has been successfully downloaded.
Step 233 Guest login.
Step 234 Dynamic Authorization (CoA) succeeded for session.
Successful CWA authentication for Guest User (username guser001 in example) and Authorization Profile
named Guest applied.

Step 235 dACL named INTERNET_ONLY has been successfully downloaded.

Note: Note: Session ID can be found by clicking on the details on a specific transaction. You also have the option to
Show Live Sessions.
 SECURE ACCESS HOW-TO GUIDES

Test and Monitor Client Provisioning Services for

AnyConnect Unified Agent
Exercise Description
This exercise validates the Client Provisioning and Authorization Policy configuration completed in the previous lab
exercises. Since no Posture Policy has been configured, all users should be posture compliant. The AnyConnect
Unified Agent will be tested and monitored in detail in this exercise. In addition to Agent provisioning, this exercise
will also validate agent policies such as AUP, auto-closure of login success screens, and agent profile configuration.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

• Login to the secured lab network from a Windows 7 PC client as an Employee via 802.1X machine
authentication and user authentication and verify AnyConnect provisioning.
• Review ISE and switch logs to validate proper operation and application of the Authorization Policy.

Lab Exercise Steps

Power ON VM guest p##_w7pc-corp.
Step 236 Establish a terminal session with the 3k-access switch (10.1.100.1).
Validate the session status of the switchport authorization after Windows login (802.1X User
authentication):
At the w7pc-corp VM console, send Ctrl+Alt+del and login to Windows domain as user
DEMO\employee1 / ISEisC00L. Issue show authentication sessions for interface GigabitEthernet1/0/1.
After successful 802.1X user authentication, the Authorization Policy should match the [ Employee Posture
Assessment ] rule (Authorization Profile = Posture_Remedation). The output should appear similar to that
shown below:

3k-access# sh auth sess int g1/0/1 details

Interface: GigabitEthernet1/0/1
MAC Address: 0050.5693.6399
IPv6 Address: Unknown
IPv4 Address: 10.1.50.202
User-Name: DEMO\employee1
Device-type: Microsoft-Workstation
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A01640100000FFB52933346
Acct Session ID: 0x00000FE8
Handle: 0x2100003F
Current Policy: POLICY_Gi1/0/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
ACS ACL: xACSACLx-IP-POSTURE_REMEDIATION-54bf6344
URL Redirect: https://ise-
1.demo.local:8443/portal/gateway?sessionId=0A01640100000FFB52933346&portal=19f9d160-5e4e-11e4-
b905-005056bf2f0a&action=cpp&token=ed5181d4510d712bd6f49f1ccf03c0be
URL Redirect ACL: ISE-URL-REDIRECT
 SECURE ACCESS HOW-TO GUIDES

Method status list:

Method State
dot1x Authc Success

Verify that 802.1X user authentication (User-Name = DEMO\employee1) completed successfully and that
the dACL (ACS ACL) named POSTURE-REMEDIATION pushed to the interface.
A named URL Redirect ACL = ISE-URL-REDIRECT has also been applied that defines the traffic to be
redirected to the link specified by URL Redirect. The redirect URL must include the domain name of the
ISE Policy Service node, reference to port 8443, the current session ID, and reference action to cpp (Client
Provisioning Portal). If any of these items are missing, then web authentication will fail.

Step 237 Validate Client Provisioning (aka Web-Deploy) for the AnyConnect.
From w7pc-corp Windows session, launch Firefox web browser and go to www.cisco.com. It will
immediately redirect to ISE client provisioning portal (CPP). (Accept/Confirm any browser certificate
warnings if present)

Click the Start button.

Step 238 After CPP takes ~ 10 seconds to detect any existing AnyConnect installation, it shows an info page for the
location to download and install AnyConnect.

Expand [ + This is my first time here ] and click the hyperlink to download and install AnyConnect.

Double click to run the downloaded program. If prompted by Windows UAC, enter credentials admin /
ISEisC00L.

Note: Admin privileges are required to install AnyConnect for the first time. Once installed, upgrades can occur without
escalated privileges. AnyConnect can also be distributed using an MSI installer package.
 SECURE ACCESS HOW-TO GUIDES

AnyConnect ISE Network Setup Assistant window appears. Click Connect to start running AnyConnect
Downloader… Click Yes to restart your computer now when prompted.

Step 239 After

reboot and re-login, AnyConnect shows an
AUP.
Click Accept to agree to the AUP. The System
Scan tile should display
indicating Compliant.
Network access allowed.

The client should now

have full network access.
To validate, open a web
browser and verify that access to www.cisco.com is allowed.

Note: Note: If the Client fails to obtain an IP address, shut/no shut interface gig
1/0/1 on the 3k-access switch.

Step 240 Verify the session status of the switchport authorization for a compliant Employee.
Repeat the show authentication sessions output for interface GigabitEthernet1/0/1. The Authorization
Policy should match the Employee rule (Authorization Profile = Employee) and output should appear
similar to that shown below:

3k-access#sh auth sess int g1/0/1 details

Interface: GigabitEthernet1/0/1
MAC Address: 0050.5693.6399
IP Address: 10.1.10.202
User-Name: employee1
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4d269051
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A01FA02000000711F4E7514
 SECURE ACCESS HOW-TO GUIDES

Acct Session ID: 0x0000009C

Handle: 0x0C000071

Runnable methods list:

Method State
dot1x Authc Success

In the above output, note that the dACL (ACS ACL) = PERMIT_ALL_TRAFFIC has been successfully
downloaded to the interface to grant the compliant Employee full network access.

Step 241 Verify the authentication/authorization phases of the 802.1X Auth and Client Provisioning from the ISE
admin interface.
Go to Operations > Authentications. View the recent entries associated with the Employee session by
MAC Address, IP address, Interface, or Session ID. It may be help to filter the log entries by entering a
couple bytes of the Session ID or MAC address (Calling Station ID) into the appropriate column header
and hitting Enter. Click the circled x in the field to clear the filter.
Referring to the sample log below, you should see entries similar to the following that match the output
received from the switch, where 1 is the lowest or first entry:

Successful 802.1X machine authentication of the Domain Computer host/w7pc-corp.demo.local using

PEAP(EAP-MSCHAPv2); Authorization Profile named AD_Login applied.
dACL AD_LOGIN_ACCESS has been successfully downloaded.

Successful 802.1X user authentication of the Domain User DEMO\employee1; Authorization Profile
named Posture_Remediation applied.
dACL POSTURE_REMEDIATION has been successfully downloaded.
Successful authentication of host/w7pc-corp using EAP-FAST(EAP-MSCHAPv2) due to NAM
installation.
dACL AD_LOGIN_ACCESS has been successfully downloaded.
Successful machine authentication of host/w7pc-corp.demo.local using PEAP(EAP-MSCHAPv2) due to
reboot.
Successful machine authentication of host/w7pc-corp using EAP-FAST(EAP-MSCHAPv2) due to reboot.
Successful 802.1X user authentication of the Domain User employee1; Authorization Profile named
Posture_Remediation applied.
 SECURE ACCESS HOW-TO GUIDES

dACL POSTURE_REMEDIATION has been successfully downloaded.

Posture reported compliant and dynamic authorization (CoA) succeeded for session based on posture status
change.
Authorization Profile named Employee applied; dACL PERMIT_ALL_TRAFFIC applied.
dACL PERMIT_ALL_TRAFFIC has been successfully downloaded.
Session State is Started.

Step 242 Review the AnyConnect installation.

Step 243 Click on the Advanced Window (gear symbol) to view more information about the current session.

Note: At this time, we will not see the requirements in Scan Summary or Message History as in the sample screen shots
below, because of no posture policy yet.
 SECURE ACCESS HOW-TO GUIDES

Step 244 Close out all windows

 SECURE ACCESS HOW-TO GUIDES

Configure an Anti-Virus Posture Policy

Exercise Description
Posture assessment allows administrators to validate the applications and configurations on user endpoints through the
use of posture agents such as the AC ISE Posture Module or NAC Web Agent. Posture assessment can utilize file,
registry, application process, service, Windows and AV/AS checks to accomplish the task of determining endpoint
compliance with Posture Policy. The Posture Policy defines the set of conditions that must be satisfied for an endpoint
to be considered compliant, and if not, the methods to be used for remediation.
This exercise covers the configuration of a Posture Policy based on Antivirus (AV) conditions.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

• Define AV posture conditions that validate the installation and signature version of ClamWin AV on an
endpoint.
• Define AV posture conditions that validate the installation and signature version of any approved AV on an
endpoint.
• Define remediation actions for installing and updating AV software.
• Configure requirements for AV to be installed and signatures current on an endpoint.
• Configure a Posture Policy for Employees to have ClamWin AV installed and current
• Configure a Posture Policy for Guest users to have any AV installed and current
The diagram highlights the key tasks covered in this exercise including Simple and Compound Conditions,
Remediation Actions, Posture Requirements, and Posture Policy:
 SECURE ACCESS HOW-TO GUIDES

Lab Exercise Steps

Step 245 If not already completed from earlier lab step, make sure AV/AS and Cisco checks have been downloaded
to the ISE appliance.
Step 246 Navigate to Administration > System > Settings and click the icon to the left of Posture in the left-
hand pane to expand the contents of the Posture settings, and then click Updates. The Update Information
section in the bottom right-hand pane should show information regarding update time and versions as
shown in sample below. If values are empty, repeat lab steps to download updates.
Step 247
Step 248
Step 249
Step 250
Step 251
Step 252
Step 253

Step 254 Define an AV posture condition that validates the installation of ClamWin AV on an endpoint. This check
will be used in posture requirements applied to Employees.
Step 255 Go to Policy à Policy Elements à Conditions and click the icon to right of Posture. Select AV
Compound Condition from the left-hand pane and then click + Add from the right-hand pane menu. Enter
the following values and then click Submit at the bottom of the page:

Name ClamWin_AVinstalled
Description Check ClamWin AV is installed
* Operating System Windows 7 (All)

Vendor ClamWin *** Note: There is also an entry for ClamAV ***

Check Type ¤ Installation ¡ Definition

Products for Selected Vendor
þ ClamWin FREE Antivirus

Note: If no AV products appear under Vendor field, then posture updates have not yet been downloaded or download
has not yet completed.

Step 256 Define an AV posture condition that validates the signature version of ClamWin AV on an endpoint. This
check will be used in posture requirements applied to Employees.
Step 257 Click Add from the right-hand pane menu.
Step 258 Enter the following values and then click Submit at the bottom of the page:

Name ClamWin_AVcurrent
Description Check ClamWin AV is current
* Operating System Windows 7 (All)

Vendor ClamWin *** Note: There is also an entry for ClamAV ***

Check Type ¡ Installation ¤ Definition

¡ Check against latest AV definition file version if available.
Otherwise check against latest definition file date.
 SECURE ACCESS HOW-TO GUIDES

¤ Allow virus
definition files to be 7 days older than

¡ latest file date ¤ current system date

Products for Selected Vendor
þ ClamWin FREE Antivirus

Step 259
Step 260 Define a Posture Remediation Action that installs ClamWin AV on an endpoint.
Step 261 Go to Policy > Policy Elements > Results and click the icon to left of Posture (or double-click Posture)
in the left-hand pane to expand its contents. Next, expand the contents of Remediation Actions.
Step 262 Select Link Remediation and then click Add from the right-hand pane menu. Enter the following values
and then click Submit:

* Name Install_ClamWin_AV
Description Link distribution to ClamWin AV install package
Remediation Type Manual
Interval 0
Retry Count 0
* URL http://updates.demo.local/clamwin-0.97.6-setup.exe
Step 263
Step 264 Define a Posture Remediation Action that updates ClamWin AV on an endpoint.
Step 265 Select AV Remediation from the left-hand pane and then click Add from the right-hand pane menu. Enter
the following values and then click Submit:

* Name Update_ClamWin_AV_Definitions
Description Link distribution to ClamWin AV install package
Remediation Type Manual
* Interval 0
* Retry Count 0
Operation System ¤ Windows ¡ Mac
ClamWin *** Note: There is also an entry for
* AV Vendor Name ClamAV ***

Step 266
Step 267 Update a pre-built Posture Remediation Action that updates any supported AV on an endpoint.
Step 268 Select AV Remediation from the left-hand pane, select AnyAVDefRemediationWin from the list, and
then click Edit from the right-hand pane menu. Change the remediation type from Automatic to Manual,
and then click Save:

* Name AnyAVDefRemediationWin
Description Remediation for any AV
Remediation Type Manual
* Interval 0
* Retry Count 0
Operation System ¤ Windows ¡ Mac
* AV Vendor Name ANY
 SECURE ACCESS HOW-TO GUIDES

Step 269
Step 270
Step 271 Define Posture Requirements that will be applied to Employees and Guest users.
Step 272 Select Requirements from the left-hand pane (under Policy à Policy Elements à Results à Posture).

Enter the following entries into the table using the selector at the end of a rule entry to insert or
duplicate or update rules. Note that ordering does not matter. Click Save when finished.

Navigate to http://tools.demo.local/cp/Posture-Requirements-excercise-6.rtf from Admin PC to

copy/paste message
Name OS text. Conditions Remediation Actions
Action
Message Shown to Agent User
Message Text Only
An approved Antivirus program was NOT detected on
ANY_AV_Installation Windows your PC. All users must have a current AV program
ANY_av_win_inst installed before access is granted to the network. If
_Win All
you would like to install a free version of ClamWin AV,
please go to http://updates.demo.local/clamwin-
0.97.6-setup.exe
ANY_AV_Definition_ Windows AnyAVDefRemediationWin
ANY_av_win_def
Win All (optional)
User Defined Conditions à Install_ClamWin_AV
ClamWin AV Windows AV Compound Condition à
Installation Win7 7 (All) (optional)
ClamWin_AVinstalled
Update_ClamWin_AV_Definitions
User Defined Conditions à
ClamWin AV Current Windows AV Compound Condition à All users must have ClamWin AV with current
Win7 7 (All) signatures. Please click start to update the
ClamWin_AVcurrent
signatures now.

Note: If a preconfigured condition does not display under the list of Conditions, be sure you have selected the
appropriate Operating System setting for both the condition as well as requirement rule. Only conditions that are
the same or subset of the OS selected for the rule will display in the Conditions selection list.

Note: A remediation action of Message Text Only provides the message content in the Description field to the user if
requirement fails. This can be used to provide instructions to end user such Help Desk contact numbers, URL
links, or other text to assist in the remediation process. Also note that basic html can be entered into this field.

Note: Save your configuration

Step 273 Configure the Posture Policy to ensure ClamWin AV is installed and current on Employee computers
running Windows 7 and that Any supported AV is installed and current on Guest user computers.
Step 274 Go to Policy à Posture and create new policy rules using the values provided in the table, and then click
Save to apply your changes:

Identity Operating
Status Rule Name Other Conditions Requirements
Groups Systems
Employee Windows Any Windows 7 demo.local:ExternalGroups P ClamWin AV Installation Win7
AV installed and (All) EQUALS
current demo.local/HCC/Groups/Emp P ClamWin AV Current Win7
loyees
Guest Windows AV Any Windows All Network Access:UseCase P Any_AV_Installation_Win
installed and current EQUALS Guest Flow
P Any_AV_Definition_Win
SECURE ACCESS HOW-TO GUIDES

Note: Be sure to set the posture policy rules to DISABLED using the selector on the left hand side of the rule:

Note: You will enable the posture rules individually during testing.

Note: To specify a Posture Requirement as Mandatory, Optional, or Audit, click the icon to the right of the
requirement name and select an option from the drop-down menu:
 SECURE ACCESS HOW-TO GUIDES

OPTIONAL: Configure a Secure Screen Saver Posture Policy

Exercise Description
Posture assessment allows administrators to validate the applications and configurations on user endpoints through the
use of posture agents such as the AC ISE Posture Module or NAC Web Agent. Posture assessment can utilize file,
registry, application process, service, Windows and AV/AS checks to accomplish the task of determining endpoint
compliance with Posture Policy. The Posture Policy defines the set of conditions that must be satisfied for an endpoint
to be considered compliant, and if not, the methods to be used for remediation.

This exercise covers the configuration of a Posture Policy based on registry conditions to validate a Windows client PC
has a secure screen saver configured.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

• Define Registry posture conditions that validate the Windows desktop screen saver settings to be enabled and
secure (require password to unlock computer) with a short timeout and screen saver selected (not set to None).
• Define a Remediation Action to update the registry configuration that controls the screen saver to policy
compliant values.
• Configure a Posture Requirement for the screen saver to be enabled and secure.
• Configure a Posture Policy to apply the screen saver policy to any Windows user

Lab Exercise Steps

Step 275 Define Registry Conditions that validate the compliance of Windows screen saver settings with our lab
policy.
Step 276 Go to Policy à Policy Elements à Conditions and click the icon to right of Posture. Select Registry
Condition from the left-hand pane.
Step 277 Create a Registry Condition that checks that the current user’s screen saver is enabled.
Step 278 Click Add from the right-hand pane menu. Enter the following values and then click Submit.

* Name ScreenSaver_On
Description (optional)
Registry Type RegistryValue
Registry Root Key HKCU * Sub Key \ Control Panel\Desktop
* Value Name ScreenSaveActive
Value Data Type Number
Value Operator equals
Value Data 1
* Operating System Windows All
Step 279 Create a Registry Condition that checks that the current user’s screen saver is set to a value other than
(None).
Step 280 Click Add from the right-hand pane menu. Enter the following values and then click Submit.

* Name ScreenSaver_SCR
Description (optional)
 SECURE ACCESS HOW-TO GUIDES

Registry Type RegistryValue

Registry Root Key HKCU * Sub Key \ Control Panel\Desktop
* Value Name SCRNSAVE.EXE
Value Data Type String
Value Operator ends with
Value Data scr
* Operating System Windows All
Step 281 Create a Registry Condition that checks that the current user’s screen saver is secure (password set).
Step 282 Click Add from the right-hand pane menu. Enter the following values and then click Submit.

* Name ScreenSaver_Secure
Description (optional)
Registry Type RegistryValue
Registry Root Key HKCU * Sub Key \ Control Panel\Desktop
* Value Name ScreenSaverIsSecure
Value Data Type Number
Value Operator equals
Value Data 1
* Operating System Windows All

Step 283 Create a Registry Condition that checks that the current user’s screen saver timeout is less than or equal to
300 seconds (5 minutes).
Step 284 Click Add from the right-hand pane menu. Enter the following values and then click Submit.

* Name ScreenSaver_Timeout
Description (optional)
Registry Type RegistryValue
Registry Root Key HKCU * Sub Key \ Control Panel\Desktop
* Value Name ScreenSaveTimeOut
Value Data Type Number
Value Operator less than or equal to
Value Data 300
* Operating System Windows All
Step 285 Create a Compound Condition that includes each of the specific Screen Saver registry checks as a single
condition.
Step 286 Select Compound Condition from the left-hand pane, and then click Add from the right-hand pane menu.
Enter the following values from the table:

* Name ScreenSaver
Description (optional)
* Operating System Windows All
Expression Select a condition to insert below () ! & |

ScreenSaver_On & ScreenSaver_Secure & ScreenSaver_SCR & ScreenSaver_Timeout

 SECURE ACCESS HOW-TO GUIDES

Note: Although the Expression content in a Compound Condition can be manually entered, it is recommend that the
Condition List be used to navigate and select the desired checks. This helps to ensure values are entered
correctly. Use the operand buttons [( ) & ! |] to select the correct logical separators.

Step 287 Click the icon to right of Registry Condition in the Condition List section.
Step 288 Select ScreenSaver_On from the list. Item should appear in open text field.
Step 289 Click the & symbol button under the open text field. The symbol should be appended to the content in the
open text field.
Step 290 Complete the condition expression using the following selections:
Step 291 ScreenSaver_Secure
Step 292 &
Step 293 ScreenSaver_SCR
Step 294 &
Step 295 ScreenSaver_Timeout
Step 296 Click icon to the right of the expression window to see basic syntax help for creating a compound
condition based on individual checks (simple conditions).
Step 297 Click Validate Expression to have the system verify the basic expression logic and that expression is
composed of valid checks.
Step 298 Click Submit when finished.
Step 299 Define a Posture Remediation Action that updates the screen saver registry keys on a Windows PC to
compliant values.
Step 300 Navigate to Policy à Policy Elements à Results and expand the contents under Posture, and then
expand Remediation Actions.
Step 301 Select Link Remediation from the left-hand pane and then click Add from the right-hand pane menu.
Enter the following values and then click Submit:

* Name Enable_Secure_Screen_Saver
Description Download compliant screen saver registry values
Remediation Type Manual
Interval 0
Retry Count 0
* URL http://updates.demo.local/ScreenSaver.reg

Step 302 Define Posture Requirements that will be applied to Employees and Guest users.
Step 303 Select Requirements from the left-hand pane (under Policy à Policy Elements à Results à Posture).
Step 304 Add a Screen Saver requirement into the table using the following values and then click Save:

Remediation Actions
Operating
Name Conditions Action
System
Message Shown to Agent User
Enable_Secure_Screen_Saver
Screen User Defined Conditions à PCs must have a screen saver enabled and password
Windows
Saver On Regular Compound Condition à protected. You may manually make changes to these
All
and Secure ScreenSaver settings or else click the link to download and run a file
that contains secure screen saver settings

Step 305
Step 306 Configure the Posture Policy to ensure a Secure Screen Saver is present on Employee and Guest user
computers running Windows.
Step 307 Go to Policy à Posture and create new policy rules using the values highlighted in the table, and then
click Save to apply your changes:
 SECURE ACCESS HOW-TO GUIDES

Identity Operating
Status Rule Name Other Conditions Requirements
Groups Systems
Employee Any Windows All demo.local:ExternalGroups
ScreenSaver EQUALS
P Screen Saver On and Secure
demo.local/HCC/Groups/Emp
loyees
Employee Windows Any Windows 7 demo.local:ExternalGroups P ClamWin AV Installation Win7
AV installed and (All) EQUALS
current demo.local/HCC/Groups/Emp P ClamWin AV Current Win7
loyees
Guest ScreenSaver Any Windows All Network Access:UseCase
EQUALS Guest Flow P Screen Saver On and Secure

Guest Windows AV Any Windows All Network Access:UseCase P Any_AV_Installation_Win

installed and current EQUALS Guest Flow
P Any_AV_Definition_Win
Step 308

Note: Be sure to set the posture policy rules to DISABLED using the selector on the left hand side of the rule:

Note: You will enable the posture rules individually during testing
SECURE ACCESS HOW-TO GUIDES
 SECURE ACCESS HOW-TO GUIDES

Test Posture Assessment and Posture Policies using

AnyConnect Unified Agent
Exercise Description
• In the previous lab exercises you have configured and tested Client Provisioning services to validate policy-
based distribution of the AnyConnect Agent to Employees. Posture Policies have also been configured. This
exercise will test the Posture Requirements and Policies for Employees running the AnyConnect Agent.

Exercise Objective
• In this exercise, your goal is to complete the following tasks:
• Login as an Employee via 802.1X authentication and verify proper execution of AC ISE Posture Module
discovery, posture, and remediation process.
• Test AV Posture Policy using AnyConnect Agent.
• OPTIONAL: Test Screen Saver Posture Policy using AnyConnect Agent.
• Review switch commands to validate correct application of policies.
• Review ISE authentication log monitoring tools to validate correct application of policies.
• OPTIONAL: Configure and test Passive Re-Assessment (PRA).

Lab Exercise Steps

AV POSTURE TESTING

Step 309 Delete ClamWin AV signatures on the w7pc-corp to ensure that the client AV software is out of
compliance with AV signature updates.
Step 310 Log into the w7pc-corp client as DEMO\employee1 / ISEisC00L, where DEMO is the Windows domain
name.
Step 311 From the w7pc-corp client, open the Lab Tools shortcut from the Windows desktop and run (double-click)
the Delete_ClamWin_AV_Updates script.
Step 312 A command window should open to execute processing of the script and indicate “Process Complete!”
when finished. Press any key to continue.

Step 313 Close the Lab Tools window.

Step 314 Logoff Windows using the Start menu:
 SECURE ACCESS HOW-TO GUIDES

Step 315 Enable the AV Posture Policy for Employees.

From the Admin client PC, access the ISE admin interface and go to Policy > Posture.
Enable the [ Employee Windows AV Installed and Current ] rule by setting its status as follows:

Click Save to apply changes.

Step 316 Test AV Posture Policy for Employees.

Log back in to w7pc-corp as DEMO\employee1 / ISEisC00L, where DEMO is the Windows domain
name.

The previously installed AnyConnect should automatically launch after Windows login and begin the
posture assessment process. Due to an out-of-compliance condition for the AV policy and the remediation
action was set to manual, click [ Start ] to initiate it.

Step 317 This manual remediation will trigger the ClamAV client to update its signature definitions. It may take ~ 2
minutes because downloading full ~ 100-Mbyte definition files. A notification should be viewable from the
Windows task tray upon successful update.

Note: If the ClamWin update process fails…

Note: The remediation server (updates.demo.local) is configured to download current AV signature files upon
start of the p##_lob-web VM. If this process fails to complete, then the ClamAV client may fail to download the
AV signature files from the remediation server as shown above. If the above process fails, then go to Policy à
Posture from the ISE admin interface, and change the requirements for the posture rule named Employee
Windows AV Installed and Current policy from Mandatory to Optional.

Note: To specify posture requirements as Optional, navigate to the Requirements column of the posture policy
rule and expand the contents of the requirement. Click the icon to the right of the requirement name and
select Optional from the drop-down menu. Repeat for each requirement in the rule.
 SECURE ACCESS HOW-TO GUIDES

The AUP page should display following successful remediation. Click Accept to accept the Network
Usage Policy Terms and Conditions.

Step 318 Validate the authorization status of the w7pc-corp client on the access switch.
Step 319 Return to the access switch terminal session.
Verify the authorization status of the PC switchport using the command show authentication sessions
interface GigabitEthernet 1/0/1.

Step 320 The DATA domain should show successful 802.1X authentication from user auth (User-Name =
DEMO\employee1) and the current dACL (ACS ACL) should be PERMIT_ALL_TRAFFIC.

SCREEN SAVER POSTURE TESTING

Step 321 Prepare the PC client w7pc-corp for testing the full Posture Policy for Employees.
Step 322 Run the Delete_ClamWin_AV_Updates script from the Lab Tools shortcut on the Windows desktop. This
will remove the AV client’s current signature definitions.

Step 323 From the Windows desktop, double-click the Screen Saver
shortcut to open the Control Panel’s Personalization settings.
Step 324 Verify that the Windows screen saver settings are disabled:
Step 325 Screen saver = (None)
Step 326 On resume, display logon screen = <Not checked>
Step 327
Step 328 Click OK to close the Screen Saver Settings and close the Control Panel window.
Step 329
Step 330 Log off from w7pc-corp.

Step 331 Enable the Screen Saver Posture Policy for Employees.
From the Admin client PC, access the ISE admin interface and go to Policy > Posture.
Enable the Employee ScreenSaver rule by setting its status as follows:
 SECURE ACCESS HOW-TO GUIDES

Click Save to apply changes.

Step 332 Test Screen Saver Posture Policy for Employees.
Log back in to the Windows 7 PC client as DEMO\employee1 / ISEisC00L, where DEMO is the
Windows domain name.

Step 333 The AnyConnect Agent should automatically launch after Windows login and begin the posture assessment
process. Since we reverted the AV signatures to a non-compliant state, automatic AV signature remediation
will again need to be performed.
The Remediation Action for the Screen Saver Posture Requirement was set to Manual so deliberate user
input is required to trigger remediation.
Read the instructions (this information was entered into the requirement description during creation of the
Posture Requirement) and click Go To Link:

Click on ‘Start and a window will appear to download the registry fixes from the lab update server. Click
Save File:
 SECURE ACCESS HOW-TO GUIDES

Step 334 The file ScreenSaver.reg is downloaded to w7pc-corp. Double-click the filename to install the new registry
settings:

Note: If the link only provides text and no download, then open Lab Tool folder short cut and double click
the AddScreenSaver.reg

A Windows warning message appears to inform you that the registry will be modified. Click Yes to apply
the changes:

Click OK to acknowledge the successful registry update:

Step 335 Close any remaining browser windows opened as part of the remediation process.
The AUP page should display following successful remediation. Click Accept to accept the Network
Usage Policy Terms and Conditions.
A message will appear stating Network access allowed.

Step 336 Test the Employee login experience when fully compliant with Posture Policy.
Step 337 Logoff from w7pc-corp and then log back in as user DEMO\employee1.
Step 338 Upon Windows login, the AnyConnect ISE Posture Module (System Scan) should open and detect that the
client PC is fully compliant with Posture Policy. Only the AUP should require user input. Click Accept to
accept the AUP. The AC ISE Posture Module should show Network access allowed.
Step 339 Verify the Screen Saver policy settings:
Step 340 From the Lab Tools shortcut on the Windows desktop, double-click the Personalization shortcut to open
the Control Panel’s Personalization settings.
Step 341 Select Screen Saver from the Control Panel windows (bottom right corner).
Step 342 Verify that the Windows screen saver settings are disabled:
 SECURE ACCESS HOW-TO GUIDES

Step 343 Screen saver = Blank

Step 344 Wait = 5 minutes
Step 345 On resume, display logon screen = <Checked>

Step 346 Click OK to close the Screen Saver Settings and close the Control Panel window.

Step 347
Review the ISE Authentication logs for proper authentication, authorization, and policy assignment.
Step 348
Access the ISE admin interface from the Admin client PC.
Step 349
Go Operations à Authentications.
Step 350
Review the entries associated with w7pc-corp based on IP address. Note the following progression of
entries that indicate proper application of the Authorization Policy based on authentication and posture
compliance state:
Step 351 Username=host/w7pc-corp.demo.local, Authorization Profile=AD Login
Step 352 Username=DEMO\employee1, Authorization Profile=Posture Remediation
Step 353 Username=DEMO\employee1, Authorization Profile=Employee
Step 354
Step 355 OPTIONAL: Passive Re-Assessment (PRA) TESTING
Step 356 Configure the PRA policy from the system posture settings:

Go to Administration à System à Settings and click the icon to the left of Posture in the left-hand
pane to expand the contents of the Posture settings
Click Reassessments in the left-hand pane, and then click Add from the menu in the right-hand pane.

Step 357 Enter the following values for the new PRA policy and click Submit when finished:

* Configuration Name PRA_Any_User

Configuration Description (optional)
Use Reassessment Enforcement? [þ]
Enforcement Type remediate
Interval 2
 SECURE ACCESS HOW-TO GUIDES

Grace Time 1
Select Roles Any
Step 358

Note: The standard minimum settings for PRA Interval and Grace Time are 240 and 5 minutes, respectively. The
settings used in this lab are for training purposes only. Specific code changes were necessary for the ISE
appliance in this lab to allow these lower values to be configured.

Step 359
Step 360 Configure the Posture Policy for PRA.
Step 361 By default, all matching posture requirements are validated upon initial posture assessment and then
periodically according to the PRA policy. The Session attribute Agent-Request-Type can be defined in the
Posture Policy to selectively apply posture requirements to either the initial assessment only or to periodic
reassessment only:
Step 362 To apply a matching posture requirement to the initial assessment only, set the Session:Agent-Request-
Type attribute EQUAL to Initial.
Step 363 To apply a matching posture requirement to periodic reassessments only, set the Session:Agent-Request-
Type attribute EQUAL to Periodic Reassessment.
Step 364 To apply a matching posture requirement to both the initial assessment and periodic reassessments, then
simply leave the attribute undefined for the policy rule, i.e. do not set Session:Agent-Request-Type.
Step 365
Step 366 Access the ISE admin interface from the Admin client PC.
Step 367 Go to Policy à Posture and update the Posture Policy conditions for Employees with the values shown
below:

Identity Operating
Status Rule Name Other Conditions Requirements
Groups Systems
P Employee Any Windows All demo.local:ExternalGroups P Screen Saver On and Secure
ScreenSaver EQUALS
demo.local/HCC/Groups/Emp
loyees
AND
Session:Agent-Request-Type
EQUALS
Periodic Reassessment
P Employee Windows Any Windows 7 demo.local:ExternalGroups P ClamWin AV Installation Win7
AV installed and (All) EQUALS
current demo.local/HCC/Groups/Emp
loyees
AND P ClamWin AV Current Win7
Session:Agent-Request-Type
EQUALS
Initial
Guest ScreenSaver Any Windows All Network Access:UseCase
EQUALS Guest Flow P Screen Saver On and Secure

Guest Windows AV Any Windows All Network Access:UseCase P Any_AV_Installation_Win

installed and current EQUALS Guest Flow
P Any_AV_Definition_Win

Step 368 Click Save to apply change

 SECURE ACCESS HOW-TO GUIDES

Note: If you have not completed the OPTIONAL Screen Saver posture policy configuration, you can alternatively test
PRA for the AV policy by setting the Session:Agent-Request-Type EQUALS Periodic Reassessment for the
Employee Windows AV Installed and Current policy.

Step 369 Test PRA from the Windows 7 client PC:

Step 370 Logoff from the w7pc-corp and then log back in as user DEMO\employee1.

Note: If login is required to unlock screen, be sure to login first to active login session to unlock desktop, and then logoff
Windows.

Step 371 Upon Windows login, the AnyConnect Agent should open and detect that the client PC is fully compliant
with Posture Policy. Only the AUP should require user input. Click Accept to accept the AUP. The
AnyConnect Agent should show network access allowed.
Step 372 From the Lab Tools shortcut on the Windows desktop, run the Delete_ClamWin_AV_Updates script from
the Windows desktop to remove the AV client’s signature definitions.
Step 373 Run the Remove Screensaver script from the Windows desktop to revert the screen saver settings to non-
compliant values. Click Run, then Yes and then OK to accept and acknowledge the registry changes.
Step 374 Wait up to two minutes for the posture reassessment Interval to trigger. The AnyConnect Agent should
open to alert the failure of the Screen Saver and AV policy.

Step 375
Step 376 Allow the 1 minute Grace Time to expire. The following message will display:

Step 377
 SECURE ACCESS HOW-TO GUIDES

Step 378 Review the switchport authorization status on the access switch.
Return to the access switch terminal session and verify the authorization status of the PC switchport using
the command show authentication sessions interface GigabitEthernet 1/0/1. The current dACL (ACS
ACL) should now be POSTURE-REMEDIATION (changed from PERMIT_ALL_TRAFFIC).

Step 379 Modify the PRA policy for audit only mode.

From the ISE admin interface, go to Administration à System à Settings and click the icon to the left
of Posture in the left-hand pane to expand the contents of the Posture settings
Click Reassessments in the left-hand pane, select PRA_Any_User and then click Edit from the menu in
the right-hand pane.
Change the PRA policy per the following table and then click Save to apply changes:

* Configuration Name PRA_Any_User

Configuration Description (optional)

Use Reassessment Enforcement? [þ]

Enforcement Type continue

Interval 60
Grace Time 5
Select Roles Any
 SECURE ACCESS HOW-TO GUIDES

Test Posture Assessment and Posture Policies using NAC

Web Agent
Exercise Description
• In the previous lab exercises you have configured and tested Client Provisioning services to validate policy-
based distribution of the Web Agent to Guest users. Posture Policies have also been configured. This exercise
will test the Posture Requirements and Policies for Guest users running the Web Agent.

Exercise Objective
• In this exercise, your goal is to complete the following tasks:
• Login as a Guest user via Central Web Authentication and verify proper execution of the Web Agent posture
and remediation process.
• Test AV Posture Policy using Web Agent.
• OPTIONAL: Test Screen Saver Posture Policy using Web Agent.
• Review switch commands to validate correct application of policies.
• Review ISE authentication log monitoring tools to validate correct application of policies.

Lab Exercise Steps

AV POSTURE TESTING

Step 380 Prepare w7pc-corp for Web Agent posture assessment and policy testing as a Guest user.
Step 381 Login as DEMO\employee1
Step 382 From the Lab Tools shortcut on the Windows desktop, run the Delete_ClamWin_AV_Updates script to
remove the AV client’s signature definitions.
Step 383 Run the RemoveScreenSaver script under Lab Tools to revert the screen saver settings to non-compliant
values. Click Yes and then OK to accept and acknowledge the registry changes, and then close the Lab
Tools window.
Step 384 Disable AnyConnect NAM and Windows native 802.1X on w7pc-corp’s wired interface:
Step 385 Double-click on short-cut [ w7pc-corp Network Connections ] on the desktop.
Step 386 Right-click on the connection [ w7pc-corp-wired ] and select properties from the drop-down
menu. When UAC prompted, enter admin / ISEisC00L to continue.
Step 387 In tab Networking, un-check [ Cisco AnyConnect Network Access Manager Filter Driver ] to disable
NAM on this interface.
Step 388 In tab Authentication, un-check [o Enable IEEE 802.1X authentication ]
Step 389 Click OK when done.
 SECURE ACCESS HOW-TO GUIDES

Step 390
Step 391 Re-establish new authorization sessions on the switchport
Step 392 Go to the Putty session for the 3k-access
Step 393 Issue the following from the IOS exec mode:

clear auth sessions interface g1/0/1

Step 394 After ~ 30 seconds, we should see DOT1X and EPM events in the 3k-access terminal session.
Step 395 To verify the switch authorization status at any point during the Guest login and Web Agent posture
process, use the following switch commands:

show authentication sessions interface GigabitEthernet 1/0/1

Step 396 Enable the AV and Screen Saver Posture Policies for Guest users.
From the Admin client PC, access the ISE admin interface and go to Policy > Posture.
Enable the Guest Windows AV Installed and Current rule.
Enable the Guest Screen Saver rule.
Click Save to apply changes.

Step 397 Create a new self-service Guest user account.

Step 398 From w7pc-corp, login as user DEMO\employee1 / ISEisC00L
Step 399 Launch the Mozilla Firefox Web browser. Type in cisco.com and the page should be redirected to the ISE
Web authentication portal.
Step 400 Click the Don’t have an account? hyperlink from the login portal…

…and enter the following values into the form, and then click Submit:
 SECURE ACCESS HOW-TO GUIDES

Username bsmith
First Name Bob
Last Name Smith
Email Address (optional)
Phone Number (optional)
Company GOLD
Person being visited(email) (optional)
Reason for visit (optional)

Step 401 Write down the assigned username and password credentials:
Username: _________________________

Password: __________________________

To facilitate login, select and copy the password entry, making sure not to include any extra
characters.

Click the OK button to display the Web authentication login page again.
Step 402 Login as a Guest user and run the Web Agent.
Enter your new Username/Password credentials and click the Log In button.
If an AUP was enabled for Web authentication, check the box to Accept terms and Conditions and then
click Accept.
The ISE Agent Downloader page should appear. Click the button Click to install agent at the bottom of
the page.
Step 403 Accept any certificate warnings if prompted.
Step 404 The Cisco NAC Web Agent window should appear and indicate that posture assessment is being
performed.
Step 405 Remediate the non-compliant screen saver policy using the Web Agent.
Step 406 Both Guest user Posture Policies for AV and Screen Saver should fail as shown below:
SECURE ACCESS HOW-TO GUIDES

Click the link Click here to remediate under the failed Screen Saver Requirement suggestions.
A File Download warning will appear. Click Run:

Click Allow if presented with a browser security warning:

Note: If you see text when selecting remediate, copy the text to notepad and save the file as .reg
 SECURE ACCESS HOW-TO GUIDES

A Registry Editor window will appear asking if you wish to continue with the registry modifications. Click
Yes to allow the registry to be modified.
Click OK to acknowledge the successful registry update.

Note: If excessive time has passed and the Remediation Timer has expired, you can repeat the Web Agent posture
assessment process by returning to the ISE Agent Downloader page and re-clicking the button Click to install
agent at the bottom of the page.

Step 407 Remediate the non-compliant AV policy.

Click the Re-Scan button in the Web Agent window to have posture re-assessed based on the recent
remediation. The Web Agent should be updated as per the following:

Step 408 As a temporal client for use by any Windows PC including non-admin users, the Web Agent does not allow
for triggered code execution. Therefore, the Guest user must initiate the remediation.
Right-click on the ClamWin icon in the Windows task tray and click Download Virus Database Update:
 SECURE ACCESS HOW-TO GUIDES

The ClamWin AV window will open and show the progress of the signature updates. Click Close when
AV update is complete:

Note: If the ClamWin update process fails…

Note: The remediation server (updates.demo.local) is configured to download current AV signature files upon
start of the p##_lob-web VM. If this process fails to complete, then the ClamAV client may fail to download the
AV signature files from the remediation server as shown above. If the above process fails, then go to Policy >
Posture from the ISE admin interface, and change the requirements for the posture rule named
Contractor_Windows_AV_Installed_and_Current policy from Mandatory to Optional.

Note: To specify posture requirements as Optional, navigate to the Requirements column of the posture policy
rule and expand the contents of the requirement. Click the icon to the right of the requirement name and
select Optional from the drop-down menu. Repeat for each requirement in the rule.

Step 409 Complete the Web Agent posture process.

Click the Re-Scan button in the Web Agent window to have posture re-assessed based on the recent
remediation. The Web Agent should be updated.

Step 410 The login success screen should auto-close after five seconds per the configured policy.
From the original agent install window, click the browser Home icon, or re-enter www.cisco.com into the
URL address field to verify the Guest user now has Internet access.

Step 411
Review the ISE Authentication logs for proper authentication, authorization, and policy assignment.
Step 412
Access the ISE admin interface from the Admin client PC.
Step 413
Go Operations > Authentications.
Step 414
Review the entries associated with w7pc-corp based on IP address. Note the following progression of
entries that indicate proper application of the Authorization Policy based on authentication and posture
compliance state:
Step 415 Username=<MAC_Address>, Authorization Profile=CWA_Posture_Remdiation
Step 416 Username=<Guest_Username>, Authorization Profile=Guest
SECURE ACCESS HOW-TO GUIDES
 SECURE ACCESS HOW-TO GUIDES

Monitor and Report on Posture Services

Exercise Description
ISE includes both monitoring and reporting utilities to validate and troubleshoot Posture Services. This exercise
reviews some of these tools.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

• Review ISE Authentications log and verify session details related to Posture Services.
• Review the ISE Dashboard for high-level posture status and statistics.
• Troubleshoot posture events using ISE Diagnostic Tools.
• Run ISE reports for Posture Services.

Lab Exercise Steps

Step 417 Review the ISE Authentication logs for proper authentication, authorization, and policy assignment.
From the ISE admin interface, go to Operations à Authentications.
Review the log entries associated with w7pc-corp sessions. Click the Details link to see information
regarding how the endpoint was authenticated, identity store used, Authorization Profile applied including
dACLs and other RADIUS attributes assigned.
From the ISE admin interface, go to Home (Dashboard). Review the Posture Compliance dashlet including
Compliance pass percentage by hovering over the Posture Status.

Step 418 Click the upper right corner of the dashlet to expand in a new window and hover over the bar to see
percentage compliant:
Step 419
 SECURE ACCESS HOW-TO GUIDES

Step 420 Click the OS and Posture Status entries to display additional details.
Step 421 Go to Operations > Diagnostic Tools. Click the icon to the left of General Tools in the left-hand pane
to expand its contents, and then click Posture Troubleshooting. The Search page displays.
Step 422 Click Search: (you may have to adjust Time Range)

Step 423 Select one of the pass/fail (green/red) entries and then click Troubleshoot at the bottom of the page:

Step 424
Step 425
Step 426 A message displays to indicate the status of the request:

Step 427 When processing is complete, a window similar to the following will display:

Step 428 Click Show Results Summary. The output displays a summary of all the passed and failed requirements
for the posture event along with the condition names and associated remediation actions:
Step 429
 SECURE ACCESS HOW-TO GUIDES

Step 430
Step 431 Click Done to return to the Search page. Optionally enter new search criteria and repeat the steps to
troubleshoot passed/failed posture events.
Step 432 Go to Operations à Reports à ISE Reports à Endpoints and Users. Select Posture Detail Assessment
from the left-hand pane:

Step 433 Run the Posture Detail Assessment report for today and review the contents.
 SECURE ACCESS HOW-TO GUIDES

Step 434 Click the Details icon for any Failed (Red) posture entry. Review the overall details for the posture session.

Review the requirements which passed and those that failed.

 SECURE ACCESS HOW-TO GUIDES

APPENDIX A : Configure Windows Wired 802.1X Native

Supplicant Manually
The client PC w7pc-corp is pre-configured with wired 802.1X in the lab pods. For references, below are the steps to
configure the client PC for 802.1X authentication to simulate an Employee:
Step 435 Enable 802.1X wired services on the client PC:

Click and type Services Right click the Services ICON and Run as administrator.
Log in as Admin/ISEisC00L
Open the Wired AutoConfig service from the list:
Change Startup type: to Automatic and click Apply.
Click Start and ensure that Service status = Started.
Click OK and close the Services window.

Step 436 Enable 802.1X authentication on the w7pc-corp-wired:

Open the Network Connections shortcut from desktop
Right-click on the entry for the Local Area Connection and select Properties. If prompted by Windows 7
User Account Control (UAC), enter the Domain Administrator credentials admin / ISEisC00L.
Select the Authentication tab at the top of the Properties window.
Verify that 802.1X authentication is enabled (checked) for Enable IEEE802.1X authentication as shown
below:
SECURE ACCESS HOW-TO GUIDES

Verify that “Choose a network authentication method” is set to Microsoft: Protected EAP (PEAP).
Check Remember my credentials for this connection each time I’m logged in”
Click Settings and under Select Authentication Method: verify that the EAP MSCHAPv2 Click Configure
and enable Automatically use my Windows login name and password (and domain if any) as shown:

Click OK twice to close the PEAP Properties page and then click Additional Settings:
SECURE ACCESS HOW-TO GUIDES

Verify that the Specify authentication mode setting is enabled (checked) and set to User or computer
authentication as shown:

Click OK twice to save changes and exit the LAN Properties page.
Exit any open windows and restart the PC by going to Start (Start
menu) and selecting Restart:

Note: Warning: Do NOT select Shutdown or Sleep. If PC is shut or powered down, then any changes made
to client will be lost upon restart and you will need to redo changes made from the start of this lab exercise.
 SECURE ACCESS HOW-TO GUIDES

Heading 2
Body text style Body text style Body text style Body text style Body text style Body text style Body text style Body
text style Body text style Body text style Body text style Body text style Body text style Body text style Body text style
Body text style Body text style Body text style Body text style Body text style Body text style Body text style Body
text style Body text.
Body text style Body text style Body text style Body text style Body text style Body text style Body text style Body
text style Body text style Body text style Body text style Body text style Body text style Body text style Body text style

Heading 2
Body text style Body text style Body text style Body text style Body text style Body text style Body text style Body
text style Body text style Body text style Body text style Body text style Body text style Body text style Body text style
Body text style Body text style Body text style Body text style Body text style Body text style Body text style Body
text style Body text.
Body text style:

• Bullet_Level 1
• Bullet_Level 1
• Bullet_Level 1
• Bullet_Level 1
Bullet_Level_1 Text Bullet_Level_1 Text Bullet_Level_1 Text Bullet_Level_1 Text Bullet_Level_1 Text
Bullet_Level_1 Text Bullet_Level_1 Text Bullet_Level_1 Text Bullet_Level_1 Text Bullet_Level_1 Text
Bullet_Level_1 Text Bullet_Level_1 Text

Heading 3
Body text style Body text style Body text style Body text style Body text style Body text style Body text style Body
text style Body text style Body text style
 SECURE ACCESS HOW-TO GUIDES

(Figure style)
Figure 2. Figure Caption (Note: Numbers update automatically)

Figures should be sized with the following dimensions:

w Width - 5.00”
w Height - 2.00”
 SECURE ACCESS HOW-TO GUIDES

Heading 1
Body text style Body text style Body text style Body text style Body text style Body text style Body text style Body
text style Body text style Body text style Body text style Body text style Body text style Body text style Body text
style.
Note_Level_1: Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1
Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1
Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1 Note_Level_1

Sub-heading
• Bullet_Level 1
• Bullet_Level 1
• Bullet_Level 1
Note_Level_1_text: Note_Level_Text Note_Level_Text Note_Level_Text Note_Level_Text
Note_Level_Text Note_Level_Text Note_Level_Text Note_Level_Text Note_Level_Text
Note_Level_Text Note_Level_Text.

Heading 2
Body text style Body text style Body text style Body text style Body text style Body text style Body text style Body
text style Body text style Body text style Body text style Body text style Body text style Body text style
To <task>, complete the following steps (Step_Level 1):

Step 437 Body text style with numbering applied. Body text style Body text style Body text style Body text style
Body text style Body text style Body text style Body text style Body text style.
Step 438 Body text style Body text style Body text style Body text style Body text style Body text style Body text
style Body text style Body text style Body text style Body text style.
Step_Level_1_Text style Step_Level_1_Text style Step_Level_1_Text style Step_Level_1_Text style
Step_Level_1_Text style Step_Level_1_Text style Step_Level_1_Text style Step_Level_1_Text style
Step_Level_1_Text style.
Note_Level_1_text: Steps will increment automatically.

(Figure)
Figure 3. Figure Caption (Note: Numbers update automatically)

Note_Level_1_text: Note_Level_Text Note_Level_Text Note_Level_Text Note_Level_Text

Note_Level_Text Note_Level_Text Note_Level_Text Note_Level_Text Note_Level_Text
Note_Level_Text Note_Level_Text
 SECURE ACCESS HOW-TO GUIDES

Heading 2
Body text style Body text style Body text style Body text style Body text style Body text style Body
text style Body text style Body text style Body text style Body text style Body text style Body text
style Body text style Body text style
Note_Level_1: Note_Level 1 Body Text Note_Level 1 Body Text Note_Level 1 Body Text.
Step 1 Step_Level 1 text Step_Level 1 text Step_Level 1 text Step_Level 1 text Step_Level 1 text Step_Level 1
text Step_Level 1 text Step_Level 1 text

Cisco-CLI style Cisco-CLI style Cisco-CLI style Cisco-CLI style Cisco-CLI style Cisco-CLI style
Cisco-CLI style Cisco-CLI style Cisco-CLI style Cisco-CLI style Cisco-CLI style Cisco-CLI style

Cisco-CLI style Cisco-CLI style Cisco-CLI style Cisco-CLI style

Step 2 Step_Level 1 text Step_Level 1 text Step_Level 1 text Step_Level 1 text Step_Level 1 text Step_Level 1
text Step_Level 1 text Step_Level 1 text

Cisco-CLI style
Cisco-CLI style
Cisco-CLI style
Cisco-CLI style
Cisco-CLI style Cisco-CLI style

Note_Level_1_text: Note_Level_Text Note_Level_Text Note_Level_Text Note_Level_Text

Note_Level_Text Note_Level_Text Note_Level_Text Note_Level_Text Note_Level_Text
Note_Level_Text Note_Level_Text To test the pxGrid client connection, ping the IP address of the Cisco
DMZ gateway:

Cisco-CLI style

Step 3 Step_Level 1 text Step_Level 1 text

Cisco-CLI style

Step_Level 1_Text Step_Level 1_Text Step_Level 1_Text Step_Level 1_Text Step_Level 1_Text
Step_Level 1_Text Step_Level 1_Text Step_Level 1_Text

Step 4 Step_Level 1 text >Step_Level 1 text > Step_Level 1 text Step_Level 1 text > Step_Level 1 text.
Step 5 Step_Level 1 text >Step_Level 1 text > Step_Level 1 text Step_Level 1 text > Step_Level 1 text.
Step 6 Step_Level 1 text >Step_Level 1 text > Step_Level 1 text Step_Level 1 text > Step_Level 1 text.

Heading 3
Body text Body text Body text Body text Body text Body text Body text Body text Body text Body text Body text
Body text Body text Body text Body text Body text Body text Body text Body text Body text.
Table 1. Table_Caption (Copy this table structure and insert/delete rows or columns for your need)
 SECURE ACCESS HOW-TO GUIDES

Table_Heading Table_Heading
Table_Text Table_Text
Table_Text Table_Text
Table_Text Table_Text
Table_Text Table_Text
Table_Text Table_Text
Table_Text Table_Text
Table_Text Table_Text
Table_Text Table_Text
Table_Text Table_Text
Table_Text Table_Text
Table_Text Table_Text

Note_Level 1: Note_Level 1 Note_Level 1 Note_Level 1 Note_Level 1 Note_Level 1 Note_Level 1 Note_Level 1

Note_Level 1 Note_Level 1 Note_Level 1 Note_Level 1 Note_Level 1 Note_Level 1 Note_Level 1 Note_Level 1
SECURE ACCESS HOW-TO GUIDES

APPENDIX A Title