Art of Ise Posture Config Troubleshooting

LAB Guide
Cisco dCloud
The Art of ISE posture, configuration and

troubleshooting.
Created by Serhii Kucherenko Technical Consulting Engineer

Last Updated: 08-October-2021
IMPORTANT! This content is community developed and is not subject to standard dCloud verification or support.
Please contact dCloud Support for more information.
This guide for the preconfigured LAB includes:
Introduction
Disclamer
LAB Scenario
LAB topology diagram
LAB IP addresses and VLANs
LAB Access Instructions
Introduction to LAB guide, DEMO flows and scenarios
Task 1 Configuration: ISE redirect-based posture
Pre-Configuration
Configuration Steps
Step 1: Configure posture conditions
Step 2: Configure posture requirements
Step 3: Configure a posture policy
Step 4: Configure AnyConnect ISE posture profile
Step 5: Create AnyConnect configuration
Step 6: Define Client Provisioning Policy
Task 2 Troubleshooting: ASA WebVPN login issue

Problem description
How it should work
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 95
LAB Guide
Cisco dCloud
You are not allowed

Hints
Solution
Task 3 Troubleshooting: Redirect to Client Provisioning portal is failing\
Problem description
How it should work
You are not allowed
Hints
Solution
Task 4 Troubleshooting: CP portal displays ‘You now have Internet access through this
network.’
Problem description
How it should work
You are not allowed
Hints
Solution
Task 5 Troubleshooting: Untrusted Server Blocked!
Problem description
How it should work
You are not allowed
Hints
Solution
Task 6 Configuration: ISE Next Generation posture
Pre-Configuration
Configuration Steps
Step 1: Wkst1 preparation
Task 7 Troubleshooting: Error on the client provisioning portal for failed SSO scenario
Problem description
How it should work
You are not allowed
Hints
LAB Guide
Cisco dCloud
Note
Solution
Task 8 Troubleshooting: SSO is failing on the Client Provisioning Portal
Problem description
How it should work
You are not allowed
Hints
Solution
LAB Guide
Cisco dCloud
Introduction
This lab contains multiple configuration and troubleshooting tasks for the ISE posture feature. The ISE
posture process is divided in to two main posture flows: redirect-based and non-redirect-based flows.
While working on this lab, students will develop an understanding of the differences between both
approaches. Furthermore, the lab contains multiple troubleshooting tasks which are based on real life
customer issues that have been handled and resolved by Cisco TAC.
Upon completion of this lab you, you will be able to:

• Configure posture services on ISE (Identity Services Engine) for redirect and non-redirect flows.
• Configure Cisco ASA (Adaptive Security Appliance) to support posture over VPN (Virtual Private
Network).
• Effectively troubleshoot posture related issues on every involved component (ISE, Agent, Network
Access Device)
Disclamer
This training document 3is to familiarize the student with ISE Posture configuration and troubleshooting.
Although the lab design and configuration examples could be used as a reference, it’s is important to note
that it is not a real design. As such, not all recommended features are used, or enabled optimally. For any
design related questions, please contact your representative at Cisco, or a Cisco partner.
LAB Scenario
This lab scenario is based on the imaginary corporate network of DEMO. DEMO is an international finance
company. Secure network access is the main concern for the IT department for the past couple of years.
Three years ago, Cisco ISE 2.1 has been implemented as an Identity solution. DEMO invested a huge
amount of money in ISE. All required ISE flows have been working perfectly fine for the last three years.
For the last couple of months, the IT department, together with an external supplier, were working on ISE
2.1 to ISE 2.3 upgrade project to implement posture services on ISE. This was a major requirement from
the DEMO CEO because previously, a huge amount of money has been invested in Third-Party NADs which
don’t support redirection.
You, along with your colleague Diana Prince, were working on the POC for DEMO. The POC is based on
the lab deployed in the Cisco dCloud to demonstrate that all requirements of DEMO can be met.
LAB Guide
Cisco dCloud
Unfortunately, Diana has fallen ill recently, and you will have to present a POC to the DEMO IT manager
alone.
There are still a couple of configuration tasks which need to be finalized and the lab tested by the DEMO
IT staff. In case of any issues, you will need to troubleshoot and fix them ASAP since this project has high
visibility and a huge financial impact.
LAB topology diagram
LAB IP addresses and VLANs
IP Addresses
LAB Guide
Cisco dCloud
Device Name/Hostname/Alias IP Addresses NATed IP Address

Adaptive Security ASAv.dcloud.cisco.com 198.18.133.254 ---
Appliance (virtual) 198.19.10.100 ---
Identity Services Engine ise.dcloud.cisco.com 198.19.10.27 ---

AD (AD/CS/DNS) Ad1.dcloud.cisco.com 198.19.10.1 198.18.133.1
Jump host/Test PC Wkst1 198.18.133.36 ---
Fake web server to web.dcloud.cisco.com 198.19.10.151
trigger redirect
Internal VLANs and IP Subnets
VLAN VLAN Name IP Subnet Description

--- --- 198.18.128.0/18 Outside subnet where Wkst1 is connected
--- --- 198.19.10.0/24 Inside subnet where ISE and AD are
connected
LAB
Access Instructions
Accounts and Passwords
Access To Account (username/password) Access Methods
ASAv.dcloud.cisco.com admin / C1sco12345 SSH from the laptop in the LAB

(enable passowrd: C1sco12345) room or ASDM from Wkst1
ise.dcloud.cisco.com admin / C1sco12345 SSH/HTTPS from the laptop in
the LAB room
AD Administrator / C1sco12345 RDP from the laptop in the LAB
(AD/CS/DNS/DHCP) room
Wkst1 Administrator / C1sco12345 RDP from the laptop in the LAB
room
Note: Authentication might fail for AD1. If this is the case, click on ‘Switch User’ and enter the username
‘.\Administrator’ and password ‘C1sco12345’.
VPN Connection
LAB Guide
Cisco dCloud
To access LAB devices, you need to establish an SSL VPN connection to dCloud data center. To do this
press "View" next to your session name in 'Sessions' area

In the new window go to the 'Details' tab and scroll down in the ‘Session Details’ window to ‘AnyConnect
Credentials’.
Use Cisco AnyConect client on your PC to establish SSL connection to dCloud data center.
Access to the Wkst1 and AD1 over RDP
Launch the Windows RDP client on your PC and use IP addresses from the ‘IP Addresses’ table to establish
connections to Wkst1 and AD1. For AD1, use the NATed IP to connect via RDP. Wkst1 is located on the
Outside interface of the ASAv.
Access to the ISE GUI
To access the ISE GUI, after confirming the VPN connection has been established, open a web browser on
your PC and put the following URL into the address bar - https://198.19.10.27/
Please accept any certificate warnings. Or else if you would like to access it directly without VPN then you
can login via AD1.
Note: There is no management access to ISE from WKST1
Access to the ISE/ASA CLI
To access the CLI of the ASA/ISE, open a terminal client (Putty) available on the desktop of Wkst1 and use
corresponding saved sessions.
Access to the ASA over ASDM
If needed, you can access the ASA device over ASDM. You can launch ASDM on the Wkst1 (shortcut is
available on the desktop). Use FQDN – asav.dcloud.cisco.com and ASAv credentials from ‘Accounts and
Passwords’ table.
Introduction to LAB guide, DEMO flows and scenarios
This LAB contains two types of tasks: configuration and troubleshooting tasks. Below you may find a short
explanation for each type of task.
LAB Guide
Cisco dCloud
Configuration task – In this task, you are requested to follow a step-by-step procedure to achieve some
configuration goal.
Troubleshooting task – This section contains all the information required for a participant to troubleshoot
an issue. It is recommended by LAB authors to spend no more than 10-20 minutes on each troubleshooting
task trying to solve the issue on your own. After this time, please go to the solution section.
Troubleshooting section structure:

• Problem description – Here you can find a short description of the problem, as well as information
about devices which should be used for testing and troubleshooting.
• How it should work – This section contains an explanation of the flow. Here you can find detailed
information about what exactly you should see in a working scenario.
• You are not allowed – This part contains a set of restrictions specific to a task.
• Hints – This section has short hints that might point you to the right direction to troubleshoot the
issue.
Solutions – Each troubleshooting task is followed by a detailed solution. This section contains an
explanation for a given feature and detailed troubleshooting steps for all issues which have been injected
in a task.
Task 1 Configuration: ISE redirect-based posture
In this task, you need to finish a configuration started by Diana which demonstrates a working redirect-
based posture flow to the DEMO IT staff. All the configuration which has already been implemented is
described in the pre-configuration section for your reference.
To start, open your browser to https://198.19.10.27 to access the ISE GUI and enter the credentials
admin/C1sco12345.
Pre-Configuration
The following has already been configured:
▪ ASA is added as a Network Access Device to ISE
To confirm this please navigate to (1)Work Centers → (2)Posture → (3)Network Devices
LAB Guide
Cisco dCloud
▪ A separate Client Provisioning Portal has been created for each posture style
You can conform this by navigating to (1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Client
Provisioning Portals
▪ A separate Client Provisioning Portal has been created for each posture style
You can conform this by navigating to (1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Client
Provisioning Portals
LAB Guide
Cisco dCloud
▪ All required Client Provisioning resources were pre-downloaded to ISE
Client provisioning resources are located at (1)Work Centers → (2)Posture → (3)Client Provisioning →
(4)Resources
Resources highlighted in blue will be used during this lab.
▪ The following authorization profile has been created for redirect-based posture
(1)Work Centers → (2)Posture → (3)Policy Elements → (4)Authorization Profiles
LAB Guide
Cisco dCloud
▪ For each posture style, a separate policy set has been created. Policy set selection is based on the
VPN tunnel group name.
(1)Work Centers → (2)Posture → (3)Policy Sets
▪ There were two authorization policies pre-created in the ‘CLASSIC_POSTURE’ policy set
LAB Guide
Cisco dCloud
(1)Work Centers → (2)Posture → (3)Policy Sets → (4)CLASSIC_POSTURE
1. CPP_REDIRECT – This policy applies to the initial authentication attempt and places the endpoint in a
redirect state.
2. POSTURE_COMPLIANT – This policy should be applied to the endpoint after a successful posture
process.
▪ ASA side settings
ASA has been fully preconfigured for posture over SSL VPN. Redirect based posture flow is implemented
for the tunnel-group with the name “POSTURE-REDIRECT”. Next generation posture is implemented for
the tunnel-group “POSTURE-NG”.
Configuration Steps
During this configuration task, you need to finalize the posture services settings on the ISE. Generally, the
following workflow can be used on ISE for posture services configuration
LAB Guide
Cisco dCloud
Items highlighted in blue need to be configured as part of this task.
Step 1: Configure posture conditions
As part of this POC, Windows Assets can be marked as ‘Complaint’ when:
▪ Windows update agent is running (Mandatory)

▪ Any Firewall product is running (Optional)
▪ Any Anti-Malware software is installed (Optional)
Due to those requirements, we need to create 3 posture conditions:
To create a condition for Anti-Malware, navigate to (1)Work Centers → (2)Posture → (3)Policy Elements
→ (4)Conditions → (5)Anti-Malware and press Add
LAB Guide
Cisco dCloud
To configure an Anti-Malware condition, the following things need to be defined:
a. Condition name – DEMO-AM

b. Operation System – Windows All
c. Vendor – ANY
d. Check Type – Installation
e. Product name – ANY
Click Submit to save the new condition.
To create a condition for Firewall check, navigate to (1)Work Centers → (2)Posture → (3)Policy Elements
→ (4)Conditions → (5)Firewall Condition and press Add
LAB Guide
Cisco dCloud
To configure a Firewall condition, the following things need to be defined:
a. Condition name – DEMO-FW

b. Compliance module – 4.x or later
c. Operation System – Windows All
d. Vendor – Microsoft Corporation
e. Select ‘Enable’
f. Product Name – Windows Firewall of ANY version
To create a condition for Windows update check, navigate to (1)Work Centers → (2)Posture → (3)Policy
Elements → (4)Conditions → (5)Patch Management and press Add
LAB Guide
Cisco dCloud
To configure a Patch Management condition, the following things need to be defined:
a. Condition Name – DEMO-UPDATE

b. Operation System – Windows All
c. Compliance Module – 4.x or later
d. Vendor Name – Microsoft corporation
e. Check Type – Installation
f. Product Name – Windows Update Agent version 7.x
Step 2: Configure posture requirements
Posture requirement is a configuration item on ISE which connects Posture Conditions with Posture
Remediation actions. In other words, we define what the agent needs to check (Requirement) and what
the agent needs to do in case the specified posture conditions have not been met (Remediation).
Since DEMO would like to focus on the flow itself, there is no need to define special remediation actions.
As part of the POC, the user should get a text pop-up message in case some posture requirements have
not been met.
This allows us to use 'Message text only' remediation which could be defined directly in the posture
requirement.
LAB Guide
Cisco dCloud
To create Posture Requirements, navigate to (1)Work Centers → (2)Posture → (3) Policy Elements →
(4)Requirements
On this page, press the button which is located near the ‘Edit’ button of any existing requirement and
select ‘Insert new Requirement’. This needs to be repeated three times.
The final configuration of the Anti-Malware requirement should look like the below example:
a. Define a requirement name – DEMO-AV
LAB Guide
Cisco dCloud
b. As OS select – Windows All

c. For compliance module select – 4.x or later
d. Select as agent – AnyConnect
e. Define a posture condition
Select – User defined condition
Find in the conditions list – Anti-Malware Condition
Select the previously created DEMO-AM condition from the list.
LAB Guide
Cisco dCloud
f. Define a remediation action
In the remediation list, select ‘Message Text Only’ and add the following text: ‘Please contact DEMO IT to
get an Anti-Malware product’ like the one displayed in the below example:
Now you can proceed with the creation of the next requirement.
The final configuration of the Firewall requirement should look like the below example:
a. Define a requirement name – DEMO-FW

Find in the conditions list – Firewall Condition
LAB Guide
Cisco dCloud
Select the previously created DEMO-FW condition from the list.
In the remediation list, select ‘Message Text Only’ and add the following text: ‘Please enable Firewall
product on your system’ like displayed in the below example:
Now you can proceed with the creation of the next requirement.
The final configuration of the Windows Update requirement should look like the below example:
LAB Guide
Cisco dCloud
a. Define a requirement name – DEMO-UPDATE

Find in the conditions list – Patch Management Condition
LAB Guide
Cisco dCloud
Select the previously created DEMO-UPDATE condition from the list.
In the remediation list, select ‘Message Text Only’ and add the following text: ‘Please enable Windows
update agent’ like displayed in the below example:
Now you can click Save at the bottom of a page.
LAB Guide
Cisco dCloud
Step 3: Configure a posture policy
On this step, we need to define a posture policy which will be used for both redirect and non-redirect-
based flows. Since it's a POC, we can avoid defining any specific conditions in the policy.
To create a new posture policy, navigate to (1)Work Centers → (2)Posture → (3) Posture Policy
On the Posture Policy page, you can fill the values in the empty policy.
Final configuration of the posture policy should look like the below example:
a. Policy name – DEMO-WIN-POSTURE

b. Operation Systems – Windows All
c. Compliance Module – 4.x or later
d. Posture Type – AnyConnect
e. Requirements – You need to select all three requirements created in Step 2
LAB Guide
Cisco dCloud
After all three requirements are added, modify the type of the check from Mandatory to Optional for DEMO-
AV and DEMO-FW as described below:
Now you can click Save at the bottom of a page.
ISE posture profile is an essential part of client provisioning configuration on ISE. In the simplest scenario,
we only need to define a profile name and specify the server name rules.
(1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Resources
LAB Guide
Cisco dCloud
Click Add and select “NAC Agent or AnyConnect Posture Profile”
In a new window, you need to finish posture profile configuration –
Scroll down in the profile to the ‘Server name rules’
a. Choose agent type – AnyConnect

b. Define a profile name – POSTURE-REDIRECT
c. Specify Server name rules – put ‘*’ here. Server name rules instructs the AnyConnect ISE posture
module to which PSNs it is allowed to connect. Validation happens based on PSN name provided during
the posture process from ISE to the agent. Standard wildcard logic applies here.
Click Submit at the bottom of a page.
LAB Guide
Cisco dCloud
During this step, you need to create an AnyConnect configuration which binds together AC pkg version,
compliance module version and posture profile. In addition, this is the place where an administrator can
define which AC modules should be provisioned and with which profiles.
On the same page Click Add and select – AnyConnect Configuration
The first thing to select on the new page is the AC pkg version. The drop-down list here includes all pkg
files available in the client provisioning resources:
After the package has been selected, you have the possibility to define all other settings:
Note: You need to select the highlighted pkg file from the drop-down list
LAB Guide
Cisco dCloud
a. Specify AC configuration name – AC-CONFIG-REDIRECT

b. Choose a compliance module from the drop-down list – 4.2.1134.0
c. In the ‘Profile selection’ section, choose ‘POSTURE-REDIRECT’ next to the ISE Posture component
Scroll down to the bottom of the page and click ‘Submit’.
The Client Provisioning policy in ISE specifies which Resources (BYOD/Posture) should be provisioned to
the end-user.
DEMO has the following requirements for provisioning of the AC configuration which you've just created
for the redirect-based flow:
▪ User should belong to AD group - vpn-redirect,

▪ VPN authentication should be performed over – MS-CHAPv2
To define a client provisioning policy, navigate to (1)Work Centers → (2)Posture → (3)Client Provisioning
→ (4) Client Provisioning Policy
LAB Guide
Cisco dCloud
a. Specific client provisioning policy name – AC-REDIRECT-POLICY

b. In the ‘Operating Systems’ section, select – ‘Windows All’
c. Press the ‘+’ sign in the ‘Other Conditions’ section
d. Press ‘Create New Condition’ in the new window:
e. Press the ‘” button in the new window to open a dictionary list
f. Select active directory dictionary – AD1 (The dictionary name here is the name of your Join Point)
g. Select ExternalGroups attribute in AD1 dictionary
h. Select the ‘vpn-redirect’ group
LAB Guide
Cisco dCloud
i. Press the cogwheel sign to add one more condition
j. Select the Network Access dictionary
k. Select an AuthenticationMethod as an attribute
LAB Guide
Cisco dCloud
l. Use MSCHAPv2 as an attribute value
m. In the result section select the AC configuration - AC-CONFIG-REDIRECT
Afterwards, press ‘Done’ next to the policy and then press ‘Save’ at the bottom of the page.
At this stage, configuration of redirect-based flow is finished, and we can start testing.
Task 2 Troubleshooting: ASA WebVPN login issue
Problem description
Your colleague, Clark Kent, started to test VPN posture with redirection right after you’ve finished
configuration. His account, Clark/C1sco12345, is part of the AD group ‘vpn-redirect’. Unfortunately, Clark
LAB Guide
Cisco dCloud
reported that the initial WebVPN authentication on the ASA, to download AC, failed for him with the
following error:
Clark confirmed that the Live Logs on ISE shows failed attempts
Also, he discovered the following outputs in the detailed authentication report
Note: During the LAB, instead of the error mentioned above, you may observe another error – ‘Wrong
password or invalid shared secret’. While symptoms could be different, both problems have the same root
cause.
Below is an example of the ‘Wrong password or invalid shared secret’ error
LAB Guide
Cisco dCloud
He tried to authenticate multiple times and confirmed that the issue is always reproducible. Clark gave you
his credentials as he needed to leave the office urgently. You can connect to Wkst1 using RDP to
reproduce and fix the problem.
To access ASA web-vpn portal, use the bookmark ‘ASAv’ in Firefox web-browser on Wkst1
How it should work
Following statements are true for the ASA Web VPN login:
▪ User Clark should be authenticated against AD
▪ ASA acts as a Network Access Device which uses ISE as a radius server for WebVPN authentication
▪ Clark needs to select POSTURE-REDIRECT in the GROUP drop-down list on the WebVPN login page
▪ ISE should choose the following policies:
a. Policy set - CLASSIC_POSTURE
b. Authentication Policy – Default
c. Authorization Policy - CPP_REDIRECT
▪ After successful login to the ASA WebVPN portal, AC installation follow the steps as described on the
screenshots below:
User needs to press Continue on the Banner:
AC installation should be started automatically:
LAB Guide
Cisco dCloud
All Java security warnings need to be approved:
Note: Firefox no longer provides NPAPI support (technology for Java applets)
https://java.com/en/download/faq/firefox_java.xml
AC installation should run without any user interaction needed:
LAB Guide
Cisco dCloud
At the end of the process, you should see that AC automatically connected to the POSTURE-REDIRECT
group
You are not allowed
▪ To change any settings on the ASA side
▪ To use any accounts except for the AD account ‘Clark’
▪ To make any changes on AD domain controller
▪ To change any policies or policy order on ISE
Note 1: Policy changes refer to any changes in Policy Sets, Posture, Profiling or Client Provisioning Policies.
Note 2: Please, accept any certificate warning presented during installation.
Hints
▪ Investigate the right-side of the detailed authentication report on ISE to better understand the steps
performed by ISE during authentication
▪ You can use the AD Test User option to check the password and retrieve AD attributes.
Solution
To open the detailed authentication report, go to Operations → Live Logs and click on the Magnifying glass
icon next to the failed attempt.
LAB Guide
Cisco dCloud
From the detailed RADIUS report, we can see that the authentication is failing and the reason for failure is
due to a Disabled user account:
As per our requirement, the user Clark should be authenticated against the AD. We need to confirm if the
user credentials are correct and if the User account is disabled or not. To make sure that AD authentication
is correct, we can use the “AD Test User” tool.
Go to Administration → Identity management → External Identity Store → Active Directory → AD1, select
the ISE node and click on Test User. Enter the user’s credentials (Clark/C1sco12345) and click on Test.
LAB Guide
Cisco dCloud
As we can see, the username and password are correct and authentication is successful. This confirms
that the user account is enabled. We can also see the domain groups to which the user belongs. It seems
neither the credentials nor the user status is the cause.
Going back to the detailed RADIUS logs, we can see on the right a step-by-step account of the
authentication flow.
From the report, we can clearly see that ISE is using the ‘All_User_ID_Stores’ ID sequence to check the
user credentials. This sequence is pointing to the Internal User Store instead of the AD to authenticate
this user. Seems the user ‘Clark’ is configured under the Internal User Store as well. Therefore, ISE will
never check with the AD which is the next store in the sequence.
To check the sequence, go to (1)Administration → (2)Identity management → (2)Identity Source
Sequences → (4)All_User_ID_Stores.
LAB Guide
Cisco dCloud
From the configuration above, we can clearly see that ISE will first check with the Internal Users store and
then with the AD. To resolve the issue, move the ‘All_AD_Join_Points’ to the top of the sequence and Save
the configuration.
Once this is done, test the authentication again which should succeed.
Going to the Live Logs, we will be able to see a successful RADIUS authentication. From the detailed
RADIUS authentication report, we can see the user successfully authenticated with the AD and that they
matched the correct policies.
LAB Guide
Cisco dCloud
On the Workstation, click on Continue to begin the AnyConnect installation as mentioned above. Follow
the steps until AnyConnect is installed.
LAB Guide
Cisco dCloud
Task 3 Troubleshooting: Redirect to Client Provisioning portal is failing\
Problem description
After you fixed the problem with the login and AC has been successfully installed, the expectation is that
the user will be redirected to the ISE client provisioning portal when they try to access
http://web.dcloud.cisco.com Unfortunately, during testing, the customer’s IT staff observed that the page
is not loading. You need to troubleshoot this issue.
This is a screenshot of the problem which has been shared with you:
It was confirmed that the issue is reproducible every time when accessing http://web.dcloud.cisco.com.
Please use Wkst1 to reproduce and troubleshoot the problem.
How it should work
The following statements are true for the redirection to the ISE client provisioning portal:
▪ The user should see a CP portal after placing the following URL into the browser address bar -
http://web.dcloud.cisco.com
▪ CP portal should present a ‘Start’ button to the user to initiate a Device Security Check.
▪ The screenshot below demonstrates the end of the working flow:
LAB Guide
Cisco dCloud
Note: You should ignore and approve any Certificate warning during redirect to CP portal
You are not allowed
▪ To use any URL except http://web.dcloud.cisco.com to trigger redirection
▪ To change any policy, policy components or policy order on ISE
Note: Policy component changes refer to changes in Policy → Policy Elements ISE configuration Tab. It
also refers to any other components of ISE configuration which can be used as a reference anywhere in
Policy → Policy Elements.
Hints
▪ You can launch the Wireshark on the AnyConnect adapter to see the redirect process on the packet
level
Note: In case the AnyConnect adapter is not available in the adapters list in Wireshark, follow the procedure
below to fix this:
▪ Exit Wireshark
LAB Guide
Cisco dCloud
▪ Launch CMD as an Administrator
▪ Enter the command ‘sc stop npf’ and press Enter
▪ Enter the command ‘sc start npf’ and press Enter
▪ Start Wireshark once again
▪ The following filter can be used in Wireshark to filter all events related to redirection
‘dns||http||tcp.port==8443’
Solution
From the previous task, after successful authentication, we can see in the detailed RADIUS report that the
ISE node is pushing the “POSTURE_CPP_REDIRECT” Authorization profile. At the bottom of the report, in
the Results section, we see the attributes ISE is pushing to the ASA which show the redirect ACL and URL:
On the ASA CLI, we can see those attributes are applied by using the “show vpn-sessiondb detail
anyconnect” command:
ASAv# show vpn-sessiondb detail anyconnect
<output omitted>
Pkts Tx : 10 Pkts Rx : 16
Pkts Tx Drop : 0 Pkts Rx Drop : 0
LAB Guide
Cisco dCloud
ISE Posture:
Redirect URL :
https://posture.dcloud.cisco.com:8443/portal/gateway?sessionId=c6130a640000b0005c27fa27&por
tal=7b2ff1a...
Redirect ACL : POSTURE-REDIRECT
When the user tries to access http://web.dcloud.cisco.com, we can see that the URL bar changes to the
redirect URL, but the webpage does not open:
This indicates redirection is taking place and the ASA is returning the ISE redirect URL to the user, but the
ISE portal page is not reachable. To troubleshoot this further, we can open Wireshark and check the packet
flow. To do so:
1) Start the packet capture on the AnyConnect adapter
2) Use the filter “dns||http||tcp.port==8443”
3) Go to http://web.dcloud.cisco.com.
The following packets should appear in Wireshark:
LAB Guide
Cisco dCloud
The steps below show the redirect flow in more detail:

1) DNS resolution for http://web.dcloud.cisco.com is successful through the VPN tunnel:
2) The browser tries to reach the HTTP site, but the ASA will intercept this traffic and redirect the user
back to ISE. Notice how the HTTP reply is spoofed by the ASA to appear as if it is coming from the
site’s IP. You can see the posture redirect URL in the HTTP response packet details:
LAB Guide
Cisco dCloud
3) The browser tries to go to the ISE portal URL through the VPN tunnel on port 8443 but there is no reply.
We see multiple retransmission to attempt this connection with no luck:
At this point, we know that the PC is sending the traffic to the ASA, but it is being dropped at some point.
The next point to check in the packet flow is the ASA itself. If you recall, the command ‘show vpn-sessiondb
detail anyconnect’ shows details about the AnyConnect session.
From the command, we can see that there is no VPN filter to block the user’s traffic, but we do see a
redirect ACL called “POSTURE-REDIRECT”. If we list the ACL contents, we can see the following:
ASAv# show access-list POSTURE-REDIRECT
access-list POSTURE-REDIRECT line 1 extended permit tcp any any eq www
access-list POSTURE-REDIRECT line 2 extended deny udp any any eq domain
access-list POSTURE-REDIRECT line 3 extended deny tcp any host 198.19.10.27 eq 8434
LAB Guide
Cisco dCloud
access-list POSTURE-REDIRECT line 4 extended permit ip any any
A deny statement in the redirect-ACL means the matching traffic should not be redirected while a permit
statement means that the matching traffic should be redirected to the ISE portal page.
In our case, DNS is denied from redirection which is why we are able to resolve the FQDN of
http://web.dcloud.cisco.com. HTTP is being redirected, as seen by the first ACL line, which is why we
see the redirect URL in the browser. Line 3 shows that traffic to the ISE PSN node should pass without
redirection as well but the port number for the portal is incorrect. As can be seen from the redirect-URL
on the ASA, it should be on port 8443. This is why we are not able to open the portal page.
Remove line 3 and add it again with the correct port:
No access-list POSTURE-REDIRECT line 3 extended deny tcp any host 198.19.10.27 eq 8434
The access-list below should be the result:
ASAv# show access-list POSTURE-REDIRECT

access-list POSTURE-REDIRECT line 1 extended permit tcp any any eq www
access-list POSTURE-REDIRECT line 2 extended deny udp any any eq domain
access-list POSTURE-REDIRECT line 4 extended permit ip any any
Once this is done, disconnect the VPN and reconnect for the ACL changes to take effect. Use the same
credentials as before and try to open the webpage again once connected. You should be presented with
the following page:
LAB Guide
Cisco dCloud
Click on Advanced → Add exception → Confirm. You should see the ISE Client provisioning portal
afterwards.
Task 4 Troubleshooting: CP portal displays ‘You now have Internet

access through this network.’
Problem description
When the issue with the redirection has been solved, the user is able to see the CP portal. However, after
clicking on the ‘Start’ button, instead of starting AC ISE posture module installation, we see ‘You now have
Internet access through this network’.
LAB Guide
Cisco dCloud
The ISE live logs show that ISE issues a COA (the row with an empty identity field) which moved the user
to a Permit-Access authorization profile:
According to the output of ‘show vpn-sessiondb detail anyconnect’ taken from the ASA after clicking on
Start in the browser, there is no redirection applied to the session anymore:
ASAv# sh vpn-sessiondb detail anyconnect

<output omitted>
Normally, when redirection is in place, we should see the following:
ASAv# sh vpn-sessiondb detail anyconnect
<output omitted>
ISE Posture:
Redirect URL :
https://posture.dcloud.cisco.com:8443/portal/gateway?sessionId=c6130a64000060005bf18527&por
tal=7b2ff1a...
Redirect ACL : POSTURE-REDIRECT
LAB Guide
Cisco dCloud
It was confirmed that this issue is reproducible all the time. To be redirected once again, you need to
disconnect the AnyConnect and connect back using the same username and password
(Clark/C1sco12345). You can use Wkst1 to troubleshoot this problem further.
How it should work
The following statements are true for the redirect to the client provisioning policy selection:
▪ After pressing on the ‘Start’ button, the user should be asked to install AC ISE posture module
▪ The user should hit the following client provisioning policy – ‘AC-REDIRECT-POLICY’
The screenshots below demonstrate what needs to happen after pressing on the ‘Start’ button.
First, the countdown timer is displayed to the user:
After the timer reaches 0, the user can select ‘This is my first time here’ and click on the AnyConnect
download link
As a result, Cisco Network Setup Assistant (NSA) is pushed from ISE to the endpoint
LAB Guide
Cisco dCloud
Cisco Network Setup Assistant (NSA) can be launched from the ‘Downloads’ folder once it is fully
downloaded
After pressing the ‘Start’ button on the NSA, the user should see the following
You are not allowed
▪ To use any other user except for the AD user ‘Clark’
▪ To make any changes in the AD domain controller
LAB Guide
Cisco dCloud
▪ To change any policy, policy components or policy order on ISE.
Hints
▪ The following report can be used on ISE to check client provisioning policy selection
(1)Work Centers → (2)Posture → (3)Reports → (4)Reports → (5)Posture Reports → (6)Client

Provisioning
▪ During client provisioning policy selection, ISE takes attributes from the passed authentication.
You can use the detailed authentication report to check what attributes ISE knows for this
specific user.
Solution
In the first task of this lab, we configured ISE to provision a newly connected device with the AnyConnect
posture module to perform a posture scan. We can see that the user is going to the provisioning portal but
is not able to download the details we configured.
The fact that no client provisioning is taking place when we click on Start means that we are not matching
any rule in the Client Provisioning Policy. To confirm this point, we can go to (1)Work Centers → (2)Posture
→ (3)Reports → (4)Reports → (5)Posture Reports → (6)Client Provisioning
From the report, we can see that we are not able to match any policy for this user even though we
configured one:
Going back to the Client provisioning policy (1)Work Centers → (2)Posture → (3)Client
Provisioning → (4) Client Provisioning Policy, we can check the conditions to match our rule:
LAB Guide
Cisco dCloud
From the screenshot, we can see that AC-CONFIG-REDIRECT will be pushed if:
1- The user is part of the vpn-redirect AD group
AND
2- The authentication method used by the ASA is MSCHAPv2
To confirm these points, we can go back to the detailed RADIUS authentication report to check the details
collected during the authentication. From the screenshot, under the Other attributes section, we can see
some details collected about this user including AD related information:
We can see that the AD condition is met as the user is part of the correct group. In the same report, under
Authentication details, we can see the authentication method being used:
LAB Guide
Cisco dCloud
Seems the ASA is using PAP-ASCII instead of MSCHAPv2 and herein lies the problem. Since no changes
can be done on the ISE, we need to configure the ASA to use MSCHAPv2. To do so, we need to login to
the ASA and configure the tunnel group to allow MSCHAPv2 by adding the “password-management”
command under the tunnel group configuration:
ASAv# configure t
ASAv(config)# tunnel-group POSTURE-REDIRECT general-attributes
ASAv(config-tunnel-general)# password-management
The output below shows the command in place:
ASAv# show run tunnel-group POSTURE-REDIRECT
tunnel-group POSTURE-REDIRECT type remote-access

tunnel-group POSTURE-REDIRECT general-attributes
LAB Guide
Cisco dCloud
authentication-server-group ISE
accounting-server-group ISE
default-group-policy DCLOUD-POSTURE-GP
password-management
tunnel-group POSTURE-REDIRECT webvpn-attributes
group-alias POSTURE-REDIRECT enable
group-url https://ASAv.dcloud.cisco.com/POSTURE-REDIRECT enable
Once that command

is added, disconnect and reconnect the VPN and navigate to
http://web.dcloud.cisco.com. After clicking on start, the following Window will appear.
This means we are matching the proper provisioning policy. Go through the ISE Posture module download,
and installation process as mentioned in the “How it should work” section.
Task 5 Troubleshooting: Untrusted Server Blocked!
Problem description
Currently, when the user tries to run Network Setup Assistant to install the AC ISE posture, the following
warning message is displayed right after the installation starts:
LAB Guide
Cisco dCloud
The DEMO team confirmed that the same certificates will be used in production and this warning message
is unacceptable as it will confuse users. It has been confirmed that the problem is easily reproducible so
now, you need to use Wkst1 to troubleshoot it further.
How it should work
▪ After receiving the message displayed below, the user should not get any certificate warnings:
LAB Guide
Cisco dCloud
You are not allowed
▪ To use any other user except AD user Clark
▪ To change any settings on the ASA
▪ To remove, edit or replace any identity certificates on ISE
▪ To specify any Static IP/Host name/FQDN in the POSTURE_CPP_REDIRECT authorization profile
▪ To change any policies or policy order on ISE
Hints
▪ Remind yourself how certificate validation happens
▪ Wireshark captures at the moment the warning is displayed can show what certificates are transferred
over the wire
▪ Such warning messages are logged in AnyConnect.txt which is in the DART bundle:
DARTBundle_YYYY_XXXX\Cisco AnyConnect Secure Mobility Client
Solution
There are two main reasons for certificate validation failure:

1- The certificate presented by the TLS server is signed by a Certificate Authority (CA) that the client does
not trust.
2- The certificate presented by the TLS server contains a different name than the one request by the client.
To determine which certificates are received by the client, we can run Wireshark right before getting the
warning. To do that:
To determine which certificates are received by the client, we can run Wireshark right before getting the
warning. To do that:
1) On the Wkst1, connect to the VPN to get redirected to the client provisioning portal
2) Download the Network Setup Assistant (NSA) but do not run it
3) Start the captures
4) Once the captures have started, try to open the downloaded NSA file
5) Once you reach the certificate warning, stop the captures.
6) Filter for the IP address of ISE. You should see the following details in Wireshark:
LAB Guide
Cisco dCloud
As we can see, the captures show the certificate being presented to the client, the name of that certificate,
which is ise.dcloud.com, and the issuing CA.
To understand why the AnyConnect downloader is not accepting this certificate, we can download the
Diagnostic and Reporting Tool (DART) logs. To do so, open the AnyConnect client and click on the Gear
icon at the bottom left corner followed by the Diagnostic button.
Click on Next and wait for the bundle to be downloaded. Once it is done, you will see a file called
“DARTBundle-XXXX.zip” on the desktop. Open the file, go to AnyConnect Secure Mobility client and open
Anyconnect.txt.
Scrolling down to the time of the latest test, which should be at the bottom, we can see the
following logs:
LAB Guide
Cisco dCloud
As we can see from the logs, the AnyConnect client was redirected to posture.dcloud.cisco.com but the
certificate being presented contains different names. The reason for the certificate warning seems to be
due to Certificate name validation.
If we go to (1)Administration → (2)System → (3)Deployment → (4)ise, we can see that the ISE FQDN is
actually ise.dcloud.cisco.com.
We need to determine why the endpoint is redirected to posture.dcloud.cisco.com instead of

ise.dcloud.cisco.com. To confirm, we need to check the configuration to see what redirect URL the ISE is
pushing. To do so, go to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Authorization Profiles
and open POSTURE_CPP_REDIRECT.
LAB Guide
Cisco dCloud
From the configuration, we can clearly see that the ISE has been configured to generate a URL with a static
name instead of generating it dynamically from the node’s FQDN.
LAB Guide
Cisco dCloud
To resolve this issue, we can uncheck this box and save the configuration. Once this is done, notice how
the attributes at the bottom of the page change. These are the attributes that are pushed to the ASA upon
successful authentication:
Before:
After:
Once this is done, reconnect the VPN for the new attributes to take effect and try to go to
http://web.dcloud.cisco.com upon successful VPN authentication. You will notice that the user is
redirected to the ISE portal page, but the page will not load even though we are now redirected to the
correct URL. Recalling the troubleshooting task 3, you can apply the same methodology here to determine
the root cause.
In short, if we open the Windows command prompt and perform a DNS lookup for this name, we will see
that the name is resolved to the wrong IP:
LAB Guide
Cisco dCloud
The A record on the DNS server needs to be corrected. To do so, open a remote desktop session to the
AD through the dcloud console menu. From there, click on Start → DNS to open the DNS Manager. Navigate
to (1)Forward Lookup Zones → (2)dcloud.cisco.com → (3)ise, right-click on properties and change the IP
to 198.19.10.27.
Afterwards, try to go to http://web.dcloud.cisco.com again and this time, the portal page should appear.
Go through the NSA installation and unfortunately, we will still see a certificate warning page.
For the NSA to download the AnyConnect posture configuration from ISE, it first needs to reach ISE. To do
so, it will send HTTP probes to get redirected to the client provisioning page and download the needed
details. The NSA will send two probes:
1- An HTTP packet to the Default Gateway (DG)
2- An HTTP packet to enroll.cisco.com
3- If the NSA is not able to get redirected, it will use an FQDN which is encoded into the file as a
fallback.
To confirm if these probes are working, we can go to “C:\Users\Administrator\Downloads” and open the
file “acisensa.log” to see NSA related log messages. From the file, if we search for the time of the test, we
can see logs such as the ones below:
[Tue Jan 01 21:31:00.313 2019][acisensa]Function: GetIseDiscoveryAttr Thread Id: 0xCD0 File:

ExtractName.cpp Line: 339 Level: info :ISE Discovery attributes - FQDN(posture.dcloud.cisco.com),
Port(8443), Session ID(vAjyiu-hQnWH2caW4asJuQ)
LAB Guide
Cisco dCloud
[Tue Jan 01 21:31:00.313 2019][acisensa]Function: IseDiscovery::addToTargetList Thread Id: 0xCD0 File:

IseDiscovery.cpp Line: 345 Level: debug :Added Provisioning target posture.dcloud.cisco.com with
sessionID (vAjyiu-hQnWH2caW4asJuQ) and port (8443) to target list
IseDiscovery.cpp Line: 345 Level: debug :Added Redirection target 198.18.128.1 to target list
IseDiscovery.cpp Line: 345 Level: debug :Added Redirection target enroll.cisco.com to target list
These logs state that the NSA is preparing to send probes to the DG which is 198.18.128.1, to
enroll.cisco.com and for some reason to posture.dcloud.cisco.com which is not expected in this flow.
Going down further into the logs, we can see that both the DG and enroll.cisco.com probes are failing:
[Tue Jan 01 21:31:01.348 2019][acisensa]Function: Target::Probe Thread Id: 0x8A0 File: Target.cpp Line:
165 Level: debug :Status of Redirection target 198.18.128.1 is (6)
[Tue Jan 01 21:31:05.321 2019][acisensa]Function: Target::Probe Thread Id: 0xE78 File: Target.cpp Line:
165 Level: debug :Status of Redirection target enroll.cisco.com is (6)
Where a Status of (6) means NOT_REACHABLE.

At the same time, we can see that the probe to posture.dcloud.cisco.com is successful. Since the
certificate presented by ISE contains a different name, we get the certificate warning:
[Tue Jan 01 21:31:00.388 2019][acisensa]Function: Target::Probe Thread Id: 0xDA0 File: Target.cpp Line:
165 Level: debug :Status of Provisioning target posture.dcloud.cisco.com with sessionID () and port
(8443) is (2)
So, in this instance, we have two issues to resolve:

1- We need to make sure that ise.dcloud.cisco.com and NOT posture.dcloud.cisco.com is used by the
NSA.
2- We need to make sure http://enroll.cisco.com is successfully redirected.
For the first issue, go to (1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Client Provisioning
Portals and click on CP_PORTAL_REDIRECT
LAB Guide
Cisco dCloud
This is the portal we are presenting to the user and as you can see under the Portal Settings tab, we can
see the FQDN configured there:
LAB Guide
Cisco dCloud
This is the reason why this FQDN is used in the NSA discovery process. This FQDN is used for the new
style of posturing (Post ISE 2.2) where redirection is not used. More on that later but in this task, we are
going through redirection so this FQDN needs to be removed and the configuration saved. Once this is
done, the NSA will use the system FQDN as a fallback which is ise.dcloud.cisco.com.
LAB Guide
Cisco dCloud
As for the second issue, the NSA is trying to send an HTTP request to enroll.cisco.com to get the ASA to
reply with the redirect URL. We need to make sure that this request can reach the ASA. Firstly, we can try
to perform a DNS lookup to make sure this IP is resolvable:
Now we need to make sure that the HTTP traffic to 72.163.1.80 is reaching the ASA through the VPN
tunnel. To do so, check out the AnyConnect route details to confirm what traffic is going through the tunnel
and what traffic is sent directly out to the local network. To do so, you can go to the AnyConnect settings
as shown below:
As you can see, 72.163.1.80 is not part of the secured routes which means the HTTP requests will never
go to the ASA through the tunnel. To fix that, we need to change the Split-Tunnel configuration on the
ASA.
ASAv# show run group-policy

group-policy DCLOUD-POSTURE-GP internal
LAB Guide
Cisco dCloud
group-policy DCLOUD-POSTURE-GP attributes

dns-server value 198.18.133.1
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DCLOUD-SPLIT-TUNNEL
default-domain value dcloud.cisco.com
address-pools value DCLOUD-VPN-POSTURE-POOL
webvpn
anyconnect modules value dart
anyconnect profiles value DCLOUD-POSTURE type user
The standard access-list “DCLOUD-SPLIT-TUNNEL” is the list that specifies which traffic should go to the
ASA through the VPN. We need to make sure that the enroll.cisco.com IP is permitted in the ACL using the
command:
access-list DCLOUD-SPLIT-TUNNEL permit host 72.163.1.80
Once this is done, reconnect the VPN to make sure the changes take effect. Afterwards, you should be
able to see an additional route in the AnyConnect details page:
Open the browser and go to http://web.dcloud.cisco.com. Once redirected, start the installation process.
This time you should see that the certificate presented by ISE is trusted as seen below:
LAB Guide
Cisco dCloud
Going back to the acisensa.log, we can now see that enroll.cisco.com is successfully being redirected:
[Tue Jan 01 22:17:45.324 2019][acisensa]Function: Target::Probe Thread Id: 0x69C File: Target.cpp Line:
165 Level: debug :Status of Redirection target enroll.cisco.com is (1)
Once you click on connect, AnyConnect Posture module and compliance module will start the download
and installation process.
As long as the AnyConnect posture module is downloaded and the scan has begun, we can consider this
task as resolved. You may notice a pop-up as seen below:
LAB Guide
Cisco dCloud
This indicates that the Firewall on the PC is not enabled. If you recall, we configured the Firewall check to
be optional. Since this is the case, you can skip this check by clicking on the “Skip” button.
If you wish to remediate, go to Start → Windows firewall as seen below:
LAB Guide
Cisco dCloud
Click on “Turn Windows Firewall on or off” as seen below:
LAB Guide
Cisco dCloud
This page will allow us to enable the firewall. Turn on the Windows firewall as seen below:
Afterwards, go back to the AnyConnect pop-up and click Start.
Since we are compliant now, the AnyConnect scan will finish and the user will gain access to the network
with a Compliant status.
LAB Guide
Cisco dCloud
Task 6 Configuration: ISE Next Generation posture
Pre-Configuration
In addition to the pre-configuration performed for the redirect-based posture, the following configuration
has been added for Next Generation (NG) posture:
1. DACL for the ‘Unknown’ posture state - POSTURE_NO_REDIRECT
(1)Work Centers → (2)Posture → (3)Policy Elements → (4)Downloadable ACLs
LAB Guide
Cisco dCloud
The goal of this ACL is to limit network access when posture status of the endpoint is not yet determined.
2. An additional authorization profile has been created for the ‘Unknown’ posture state
(1)Work Centers → (2)Posture → (3)Policy Elements → (4)Authorization Profiles
LAB Guide
Cisco dCloud
3. There are two authorization policies pre-created in the ‘NG_POSTURE’ policy set
1)Work Centers → (2)Posture → (3)Policy Sets → (4)NG_POSTURE
LAB Guide
Cisco dCloud
Configuration Steps
From a high-level perspective, the same configuration components are involved for both redirect and non-
redirect-based posture flows.
Step 1: Wkst1 preparation
Since the same workstation will be used for testing, we need to uninstall AnyConnect and clear all
unwanted AnyConnect configuration files.
1. Uninstall AnyConnect – Go to Start → Control Panel → Programs and Features
Right-click on Cisco AnyConnect Secure Mobility Client and press ‘Uninstall’
Click Yes to remove all of the AnyConnect modules.
2. Clear AnyConnect folder
LAB Guide
Cisco dCloud
Navigate to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client and remove everything

except the ‘Profile’ folder:
3. Clear User folder
Navigate to C:\Users\Administrator\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client

Remove everything from this folder:
ISE posture profile is an essential part of the client provisioning configuration on ISE. In addition to what
we configured in the profile for redirect-based posture, in the non-redirect flow, we normally define a Call
Home address (this is one of the discovery probes created to locate PSNs in the environments were
redirect cannot be implemented). This could be IP/FQDN of the PSN or IP/FQDN of the Load Balancer VIP
(in such cases, LB later will distribute the requests from the clients between different PSNs.)
(1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Resources
Click Add and select NAC Agent or AnyConnect Posture Profile
LAB Guide
Cisco dCloud
In a new window you need to finish the posture profile configuration
Scroll down in the profile to the ‘Server name rules’ and ‘Call Home List’
a. Choose agent type – AnyConnect
b. Define a profile name – POSTURE-NG
c. Specify a server name rules – put ‘*’ here
d. Configure call home address – ise.dcloud.cisco.com:8443
The only difference in the NG posture configuration is the ISE posture profile name and the name of the
“AnyConnect configuration” itself.
On the same page, click Add and select – AnyConnect Configuration
LAB Guide
Cisco dCloud
Continue the configuration according to the example below:
a. Specify AC configuration name – AC-CONFIG-NG
b. Choose a compliance module from the drop-down list – 4.2.1134.0
c. In the ‘Profile selection’ section, choose ‘POSTURE-NG’ next to ISE Posture component.
LAB Guide
Cisco dCloud
Scroll down to the bottom of the page and click ‘Submit’.
DEMO has the same requirement for the NG posture in terms of client provisioning.
To define a client provisioning policy, navigate to (1)Work Centers → (2)Posture → (3)Client Provisioning
→ (4) Client Provisioning Policy
On the client provisioning policy page, press the button next to the name of an existing policy and
choose ‘Insert new policy below’
The resulting policy should look like this:
At this stage, configuration of next-generation posture flow is complete and we can start testing.
Task 7 Troubleshooting: Error on the client provisioning portal for failed

SSO scenario
Problem description
Your colleague, Bruce Wayne, successfully established a VPN connection with the following credentials:
Bruce/C1sco12345 using tunnel group - POSTURE-NG
LAB Guide
Cisco dCloud
According to the description of NG posture flow prepared for DEMO by your company, DEMO users need
to manually open the following URL after a VPN connection has been established successfully -
http://cpp.dcloud.cisco.com
This is the URL of the Client Provisioning Portal from which users should be able to install AnyConnect ISE
posture module.
The first issue Bruce observed is that the CP portal asks for credentials:
This is not what the DEMO team expected to see since they were promised that users that enter the URL
manually should be automatically authenticated by SSO. This happens when authentication takes place on
the same PSN where the Client Provisioning Portal is located (this should be true all the time for your POC
in dCloud since it has only one ISE node).
After an internal discussion, DEMO IT team decided that in a real setup, SSO may not work all the time so
a scenario with the login to the portal needs to be tested as well.
Bruce has been able to login successfully but after pressing the Start button he got the error below:
Please connect to Wkst1 over RDP to reproduce and fix the problem. You need to use Bruce’s credentials
to establish a VPN session and later on the client provisioning portal:
Bruce/C1sco12345
tunnel group - POSTURE-NG
LAB Guide
Cisco dCloud
How it should work
After pressing on the Start button, the user should see a button to download AnyConnect as shown in the
screenshot below. There is no need to install the AC posture as a verification for this task. After you see
the download button on the page, you can move to the next task.
You are not allowed
▪ To change any settings on the ASA side

▪ To use any accounts except for the AD account Bruce
▪ To make any changes on the AD domain controller
▪ To change any policy elements on ISE
Note: Policy component changes refer to changes in Policy > Policy Elements ISE configuration Tab, or any
other components of ISE configuration which can be used as a reference anywhere in Policy > Policy Elements
or the policies themselves.
Hints
▪ The following report can be used on ISE to check the client provisioning policy selection
(1)Work Centers → (2)Posture → (3)Reports → (4)Reports → (5)Posture Reports → (6)Client
Provisioning
▪ Remember that when SSO fails for any reason, the only information ISE can use is obtained during
user login to the CP portal
▪ Try to google 'ISE is not able to apply an access policy to your log-in session at this time'. Maybe this
issue has been seen in the past.
Note
LAB Guide
Cisco dCloud
Since the AnyConnect was uninstalled, we need to go through the download and installation again. To do
so, open the browser on Wkst1, click on the ‘ASAv’ bookmark and login using the credentials
Bruce/C1sco12345.
After successful login to the ASA WebVPN portal, AC installation should look as described in the
screenshots below:
User needs to press Continue on the Banner:
AC installation should be started automatically:
All Java security warning needs to be approved:
LAB Guide
Cisco dCloud
Note: Firefox no longer provides NPAPI support (technology for Java applets)
https://java.com/en/download/faq/firefox_java.xml
AC installation should run without any user interaction needed:
Solution
As in task 4, it seems we are not able to match the correct provisioning policy. Therefore, it makes sense
to start with reviewing the ‘Client Provisioning’ report. As described in the presentation, ISE can only use
attributes available in the session for the client provisioning policy selection.
(1)Work Centers → (2)Posture → (3)Reports → (4)Reports → (5)Posture Reports → (6)Client Provisioning
As you can see, the error here is the same as the one which we encountered in Task 4. At the same
time, we need to understand which attribute the user Bruce has at the moment of CP portal login.
Normally, at this step, we have a session-lookup process happening in the background. This is needed to
match the collected attributes during radius authentication to the client provisioning conditions in our policy.
Session-lookup can pick the right session in one of two ways:
1) Based on the session-id value taken from the redirect-url when we deal with redirect-based posture
LAB Guide
Cisco dCloud
2) Based on the Source IP of the https (port 8443) connection when we deal with next-generation
posture. ISE can use the Source IP from the packet to find a session associated with it (This is what
we call CP portal SSO).
In the scenarios when SSO process is failing, ISE can only use the attributes collected at the moment of
user login to the client provisioning portal to match a provisioning rule.
To move further, we can investigate live logs to understand which attributes ISE has been able to collect
during user login to the portal.
Go to (1)Operations → (2)Radius → (3)Live Logs to check the last login attempt for user Bruce
Here we can see:

a. The actual VPN authentication of the user Bruce
b. Successful authentication of user Bruce on the Client Provisioning Portal
Now our goal is to investigate the detailed authentication report for Client Provisioning Portal authentication
LAB Guide
Cisco dCloud
Let’s investigate the most important parts of the report which can help us build a theory:
a. We can confirm that AD1 has been selected as the identity store for this authentication attempt
b. Identity group row contains a SID value of an AD group retrieved during the authentication
c. Authentication method row shows which protocol was used when authenticating on the portal.
Since we cannot easily identify the external identity group here, we need to translate the SID value into an
actual AD group name. To do so we can copy the SID value and navigate to
(1)Administration → (2)Identity management → (3)External Identity Store → (4)Active Directory → (5)AD1
→ (6)Groups
LAB Guide
Cisco dCloud
By comparing the SID values, we can see the user is part of the vpn-ng-posture AD group. At this stage
we have all the required data to check the client provisioning policy.
(1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Client Provisioning Policy
Now by looking at the 'Other Condition' section, we can build our theory.
There are two condition mentioned in the policy:
▪ External AD group: We can confirm that this group is presented in the detailed authentication report
▪ Authentication method: Is set to MSCHAPV2 - this condition does not match what we saw in the
authentication report. As per the report, the authentication method used for portal login was -
PAP_ASCII.
LAB Guide
Cisco dCloud
While the VPN session itself can utilize MSCHAP as an authentication method, login to any ISE portal can
only rely on PAP_ASCII (for some portals SAML can be used as well).
So, our theory here is - Bruce failed to match the correct client provisioning policy due to a difference in
the Authentication Method.
To confirm, we can duplicate the existing policy, rename it ‘AC-NG-POLICY_NO_SSO’ and remove the
AuthenticationMethod condition from the conditions list. The resulting policy may look as displayed in the
example below:
Let's test this theory by trying a login attempt once again:
Unfortunately, the same error is still displayed.

Since we are sure that MSCHAP was missing during the login attempt, we can say that our theory isn't
complete yet.
From the previous steps, we can be certain that the only attribute which is used for policy match, in this
case the AD group, is presented in the session.
As a next step, we can try to find any existing defects which may explain such a behavior.
You can use 'ISE is not able to apply an access policy to your log-in session at this time' as a Google
search query.
LAB Guide
Cisco dCloud
Note: To see full bug details you need to login https://bst.cloudapps.cisco.com with your Cisco CCO
credentials
The very first result would be the defect CSCvd11574 - ISE 2.2 CPP portal may throw "ISE is not able to
apply an access policy to your log-in session"
Looking through the defect details, we should be able to understand if it's applicable to our scenario.
Let’s have a closer look at the ‘Detailed scenario’ section to understand the conditions explained in the
defect:
1. Multiple AD or LDAP groups are added in the external identity store settings
2. CPP portal for group-based authorization
3. Problematic user is a member of more than one group which has been added in the external identity
source settings
4. Client provisioning policy for users which needs to login over CPP contains external group as a condition
Now we need to understand if these conditions are applicable to our scenario:
To check the first statement, we can once again navigate to
→ (6)Groups
And we can confirm that there is more than one group defined here.
LAB Guide
Cisco dCloud
Let’s try to check next statement. For this, we need to navigate to:
(1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Client Provisioning Portals
and click on the portal - CP_PORTAL_NG
At this point, we can confirm the second statement from the defect is being matched in our setup.
To check point 3, we can use the ‘Test User’ option in the same way as it was described in Task 2, this
time, for user Bruce
→ (6)Test User
Here we can see that Bruce is indeed a member of multiple groups but only one of them is added in the
External Identity Store. This means the third condition is not matched.
LAB Guide
Cisco dCloud
At the same time, the defect seems to be very relevant so let’s check the ‘Further Problem Description’
section. It states that:
“This issue has been resolved starting from ISE 2.3, but the fix requires a slightly different approach in
client provisioning policies configuration.
Traditionally, when an external group needs to be matched by the client provisioning policy, EQUAL can
be used as a logical operation.
For the scenario explained in this defect, CONTAINS needs to be used instead in fixed releases.”
The workaround from ‘Further Problem Description’ can be easily tested by modifying a client provisioning
policy to use CONTAINS instead of EQUALS as displayed below:
Now we are good to run the test once again. Login to the portal again to confirm this theory:
Now we don’t see the error anymore, so the issue is successfully resolved.
Task 8 Troubleshooting: SSO is failing on the Client Provisioning Portal
Problem description
After resolving the previous problem, DEMO IT representatives asked to demonstrate if the SSO
functionality can work in general. At the moment, every time a user tries to access the CPP portal over URL
http://cpp.dcloud.cisco.com, the Username/Password prompt is displayed.
LAB Guide
Cisco dCloud
You can reproduce the problem one again from Wkst1 by connecting to the VPN with Bruce’s credentials.
How it should work
The following statements are true for the redirect to the client provisioning policy selection:
▪ The user should not get a Username/Password prompt after accessing - http://cpp.dcloud.cisco.com
▪ After pressing the ‘Start’ button, the user should be asked to install AC ISE posture module
▪ User should hit the following client provisioning policy - AC-NG-POLICY
The screenshots below demonstrate what needs to happen after pressing on the ‘Start’
First, the countdown timer is displayed to the user:
After the timer reaches 0, the user can select ‘This is my first time here’ and click on the AnyConnect
download link:
LAB Guide
Cisco dCloud
To confirm that the issue in this task is successfully fixed, you don’t need to install an AC ISE posture
module. You just need to ensure that SSO works and ISE is able to select a client provisioning policy for
the user.
You are not allowed
▪ To use any accounts except of AD account Bruce

▪ To change any policy, policy elements or policy order on ISE
Hints
▪ Try to recall how SSO process works for the CP portal

▪ Investigate session details to check if ISE got the required information.
Solution
As it has been explained in the intro presentation, ISE relies on the source IP address in the client request
to perform a session lookup. A successful session lookup leads to a successful SSO. All required attributes
for the client provisioning policy selection are extracted from the session context.
To troubleshoot failed SSO, two main things need to be verified:
▪ We need to confirm that ISE gets requests from the same IP that is present on the client's AnyConnect
adapter (no NAT along the way).
▪ Same IP address is presented in the session details.
LAB Guide
Cisco dCloud
Let’s start with the first point, we can verify the client’s IP address by opening the AnyConnect advanced
window:
In the Statistics tab of the new window, the client IP address is located next to ‘Client (IPv4)’:
Now with this knowledge, we can setup a packet capture on ISE to confirm that there is no NAT along the
path
(1)Operations → (2)Troubleshooting → (3)Diagnostic Tools → (4)TCP Dump
You can define a filter like ‘ip host <VPN IP>’ as it is displayed in the example below:
LAB Guide
Cisco dCloud
After starting the capture, we need to access the portal once again just to ensure that packets are sent by
the client towards ISE. When this is done you can stop the capture, download the pcap file and check what
is the source IP of the requests from the ISE perspective:
Now that we can confirm the IP address has not been changed along the path, we move on to the second
theory which is that the IP address is somehow missing in the session attributes.
Investigation of the live-log proves our theory right away:
Since we clearly see that the endpoint IP is missing in the attributes, the next question we need to answer
is ‘when and how does ISE learn about the endpoint IP?’
LAB Guide
Cisco dCloud
The short answer to the question is: Endpoint IP is learned from the Framed-IP-Address which is a standard
IETF Radius attribute.
This attribute can be carried in the Access-Request, Accounting-Request (type Start) and Accounting-
Request (type Interim-Update).
Typically, Access-Request don’t include this attribute since at the authentication stage, the endpoint may
not have an IP address yet. In the VPN scenario, the IP is assigned by the VPN headend only after successful
authentication.
This means that in our scenario, the endpoint IP has to be delivered in Accounting messages.
As a next step, we need to check the Radius Accounting report on ISE to confirm that accounting packets
are received by ISE:
(1)Work Centers → (2)Posture → (3)Reports → (4)Reports → (5)Posture Reports → (6)RADIUS

Accounting
We can filter by username in the Identity column:
Report output clearly shows that there were no accounting packets received by ISE for the username Bruce.
Since accounting messages are generated by the Network Access Devices, we can move our
troubleshooting to the ASA.
In the ASA, authentication and accounting servers are configurable under general-attributes of a tunnel-
group.
Let's compare settings of both tunnel groups which we use:
ASAv# sh running-config tunnel-group POSTURE-REDIRECT general-attributes
tunnel-group POSTURE-REDIRECT type remote-access
tunnel-group POSTURE-REDIRECT general-attributes
accounting-server-group ISE
ASAv# sh running-config tunnel-group POSTURE-NG general-attributes
LAB Guide
Cisco dCloud
tunnel-group POSTURE-NG type remote-access
tunnel-group POSTURE-NG general-attributes
The collected outputs clearly confirm that accounting is not configured for the tunnel-group - POSTURE-
NG and this needs to be fixed. The example below shows how to add an accounting server to the tunnel-
group:
ASAv# configure terminal
ASAv(config)# tunnel-group POSTURE-NG general-attributes
ASAv(config-tunnel-general)# accounting-server-group ISE
After implementing this change, we can reconnect to the VPN once again and confirm that the IP address
is presented in the live logs:
Also, we can run the accounting report once again:
At this point, we can try to access http://cpp.dcloud.cisco.com to confirm that everything is working fine:
LAB Guide
Cisco dCloud
This issue is now resolved.

Art of Ise Posture Config Troubleshooting

Uploaded by

Copyright:

Available Formats

Art of Ise Posture Config Troubleshooting

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Art of Ise Posture Config Troubleshooting

Uploaded by

Copyright:

Available Formats

LAB Guide

The Art of ISE posture, configuration and

Created by Serhii Kucherenko Technical Consulting Engineer

This guide for the preconfigured LAB includes:

Task 2 Troubleshooting: ASA WebVPN login issue

You are not allowed

Upon completion of this lab you, you will be able to:

LAB topology diagram

LAB IP addresses and VLANs

Device Name/Hostname/Alias IP Addresses NATed IP Address

Identity Services Engine ise.dcloud.cisco.com 198.19.10.27 ---

Internal VLANs and IP Subnets

VLAN VLAN Name IP Subnet Description

Accounts and Passwords

Access To Account (username/password) Access Methods

ASAv.dcloud.cisco.com admin / C1sco12345 SSH from the laptop in the LAB

press "View" next to your session name in 'Sessions' area

Access to the Wkst1 and AD1 over RDP

Access to the ISE GUI

Note: There is no management access to ISE from WKST1

Access to the ISE/ASA CLI

Access to the ASA over ASDM

Introduction to LAB guide, DEMO flows and scenarios

Troubleshooting section structure:

Task 1 Configuration: ISE redirect-based posture

The following has already been configured:

▪ ASA is added as a Network Access Device to ISE

To confirm this please navigate to (1)Work Centers → (2)Posture → (3)Network Devices

▪ All required Client Provisioning resources were pre-downloaded to ISE

Resources highlighted in blue will be used during this lab.

(1)Work Centers → (2)Posture → (3)Policy Elements → (4)Authorization Profiles

(1)Work Centers → (2)Posture → (3)Policy Sets

(1)Work Centers → (2)Posture → (3)Policy Sets → (4)CLASSIC_POSTURE

▪ ASA side settings

Items highlighted in blue need to be configured as part of this task.

Step 1: Configure posture conditions

As part of this POC, Windows Assets can be marked as ‘Complaint’ when:

▪ Windows update agent is running (Mandatory)

Due to those requirements, we need to create 3 posture conditions:

To configure an Anti-Malware condition, the following things need to be defined:

a. Condition name – DEMO-AM

Click Submit to save the new condition.

To configure a Firewall condition, the following things need to be defined:

a. Condition name – DEMO-FW

Click Submit to save the new condition.

To configure a Patch Management condition, the following things need to be defined:

a. Condition Name – DEMO-UPDATE

Click Submit to save the new condition.

Step 2: Configure posture requirements

a. Define a requirement name – DEMO-AV

b. As OS select – Windows All

Select – User defined condition

Find in the conditions list – Anti-Malware Condition

Select the previously created DEMO-AM condition from the list.

f. Define a remediation action

a. Define a requirement name – DEMO-FW

Select – User defined condition

Find in the conditions list – Firewall Condition

Select the previously created DEMO-FW condition from the list.