Professional Documents
Culture Documents
IMPORTANT! This content is community developed and is not subject to standard dCloud verification or support. Please
contact dCloud Support for more information.
• Requirements
• Topology
• Get Started
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 29
Cisco dCloud
Cisco AnyConnect now adds an optional AMP enabler which allows AnyConnect to easily turn on AMP for endpoints capabilities to
obtain additional threat protection. AMP is a malware-defeating solution that takes advantage of Talos and its vast cloud security
intelligence network. It delivers protection across the attack continuum—before, during, and after an attack—with malware
detection and blocking, continuous analysis, and retrospective alerting. Users can block more attacks, track suspicious files,
mitigate the scope of an outbreak, and remediate faster.
For additional information about Cisco Advanced Malware Protection, visit http://www.cisco.com/go/amp.
Configuration
This demonstration contains preconfigured users and components to illustrate the scripted scenarios. All access information
needed to complete the demonstration is listed throughout the demonstration guide.
Healthcare For Patients and Families For Healthcare Professionals Medical Records / Insurance Server
Education For Students and Guests For Faculty/Educators Student Records / Student Contacts
Federal For Visitors For Federal Agents Background Records / Human Resource Server
Corporate For Customers and Guests For Corporate Employees Corporate Financial Records / HR Records
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 29
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 29
Cisco dCloud
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front
of a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
Follow the steps to schedule a session of the content and configure your presentation environment.
2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]
NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 29
Cisco dCloud
• ASA host scan with pre-login policies to identify corporate or non-corporate assets
• Dynamic Access Policies (DAP) to limit access based on user identity and posture
• AnyConnect AMP for Endpoints Enabler Module and AMP for Endpoints integration
Steps
This scenario classifies WKST1 as a corporate asset by the ASA. We will run a bat file on the desktop that adds the dCloud
watermark file. When the ASA host scan pre-login policy detects this watermark file, it will classify the machine as a corporate
asset.
NOTE: If you have already completed the AnyConnect with AMP and ISE Posture scenario, skip to Step 18.
1. From Wkst1, double click Toggle Watermark. A window opens and displays a message that the system is creating a dCloud
watermark.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 29
Cisco dCloud
3. From Wkst1, open Firefox. The Cisco AnyConnect with AMP desktop displays.
4. Select ASAv from the bookmarks. This runs the Cisco Secure Desktop and leads to a login page. Log in using specific vertical
credentials, that is username: doctor, dean, captain or manager and password: C1sco12345.
5. Click Continue on the welcome banner. This displays the dCloud contractor VPN Portal.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 29
Cisco dCloud
6. Click the yellow exclamation point. The message indicates that the user is an employee on a non-compliant corporate
device. Click Close.
NOTE: The machine is classified as non-compliant because it does not yet have the AMP for Endpoints connector software
installed and running. AnyConnect provisions the AMP for Endpoints connector software later in this demo. If you have previously
completed the scenario using ISE posture, and AMP for Endpoints connector is already installed and running, the ASA classifies
the machine as compliant.
NOTE: AnyConnect is an option, since you are now classified as an employee on a corporate asset as opposed to on a non-
corporate asset. You now have the ability to launch and connect using AnyConnect or clientless VPN.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 29
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 29
Cisco dCloud
• The AMP enabler module is installed, downloading and installing the AMP for Endpoints connector software.
NOTE: AnyConnect uses the AMP enabler module to download and install the AMP for Endpoints connector software. The
AMP for Endpoints connector installer file is hosted on a machine internal to your environment, in this case the Linux Web
Portals machine. The AnyConnect ASA posture module is not visible. It runs behind the scenes, working with AnyConnect to
deliver posture information about the workstation so that the ASA DAP rules can make the correct access decisions based on that
posture information.
The AMP enabler module delays the download and installation of AMP for Endpoints until AFTER the upgrade, after the certificate
is obtained, and after the user reconnects and is fully up on the VPN.
10. The Certificate Enrollment process prompts the user for a certificate username. Enter in the same vertical username (doctor,
dean, captain or manager).
NOTE: If a popup box appears that reads Quarantined - Remediation Required (along with Disconnect and Ignore options), do
not click on anything. This box will disappear and the certificate enrollment box will prompt for the certificate username.
11. Click Enroll. Once the enrollment is complete, you are disconnected. Click OK on the popup box informing you certificate
enrollment succeeded.
NOTE: AnyConnect requests and obtains a digital certificate, and then disconnects and reconnects. When it reconnects, two-factor
authentication authenticates the user, using both the recently obtained certificate, and the username/password. If the AnyConnect
client does not reconnect automatically after obtaining the digital certificate, and prompt you for a username and password,
manually connect back to the asav.dcloud.cisco.com group using the AnyConnect client.
12. AnyConnect prompts you for a username and password. Enter the same vertical username (doctor, dean, captain or
manager) and C1sco12345 for the password.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 29
Cisco dCloud
NOTE: The AnyConnect software is upgraded, the AMP enabler and ASA posture modules have been installed, and the AMP
enabler module is actively downloading and installing the AMP for Endpoints connector software. Once you connect to the VPN in
the quarantined state, the AMP for Endpoints connector download starts. The download and installation process takes about 2
minutes to complete.
At this particular moment, the ASA will allow quarantined access to the network. It allows all the software upgrades and
installations to finish before continuing on to the next section that deals with posture. Once the AMP for Endpoints connector
downloads and installs, we will disconnect from the VPN and connect back in using the ASA Posture group to show the ASA
posture capabilities.
15. When the AMP for Endpoints connector software finishes installing, it will automatically open, and you will see a shortcut on
the desktop.
16. Cisco AMP for Endpoints displays. The checkmark icon should be green and read Connected. It may take up to a minute for
the status to move from not connected to connected.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 29
Cisco dCloud
17. In the Cisco AnyConnect Secure Mobility Client window, click Disconnect.
18. In the Cisco AnyConnect Secure Mobility Client window, click the dropdown arrow and select ASA Posture to connect.
19. The user is authenticated with two-factor authentication (digital certificate and username/password). AnyConnect pre-
populates the username field with the information from the digital certificate. When prompted, enter C1sco12345 for the
password.
21. Once connected, the AnyConnect popup box notifies you that as an employee on a compliant corporate owned asset, you
have FULL access to the network. Click OK on the popup box.
22. From Wkst1, open Firefox and click the Home button in the browser. The Cisco AnyConnect with AMP desktop displays.
23. Click the vertical specific portal icon (healthcare, education, federal or corporate portal).
24. From the portal page, click the General Resources. As an employee with full access, the user can access this resource.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 29
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 29
Cisco dCloud
25. Click the back button on the browser and select Internal Resources. As an employee with full access, the user can access
the internal resources page.
26. Click the link for Medical Records. As an employee with full access, the user can access the medical records page.
NOTE: The screen shots display the healthcare portal. The Internal Resources and Internal Records links vary for the other three
verticals, but all follow the same general pattern. There is always a General Resources section, an Internal Resources section, and
within the internal resources, an Internal Records type of link. Check Table 2 - Available Portals for information on alternative log in
credentials.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 29
Cisco dCloud
NOTE: The ASA allowed full access to the network for employees on compliant corporate owned assets. The ASA determines that
a machine is a corporate-owned asset if it has a digital certificate signed by the dCloud CA with dCloud identified as the
organizational unit, or if it has the watermark file. The ASA determines compliance by using the host scan to check and see if the
AMP for Endpoints connector is running. If the correct process is running, the machine is determined to be compliant. If the correct
AMP for Endpoints process is not running, the machine is determined to be non-compliant.
29. Click Stop FireAMP for Endpoints Connector Service on the desktop. This stops the AMP for Endpoints connector service,
and the AMP for Endpoints connector software changes to red. The status changes to Service Stopped.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 29
Cisco dCloud
30. In the Cisco AnyConnect Secure Mobility Client window, select ASA Posture to connect.
31. The user is authenticated with two-factor authentication (digital certificate and username/password). AnyConnect pre-
populates the username field with the information from the digital certificate. When prompted, enter C1sco12345 for the
password.
33. Once connected, the AnyConnect popup box notifies you that as an employee on a non-compliant corporate owned asset, you
have LIMITED access to the network. Click Ignore on the popup box.
NOTE: Clicking Ignore tells the ASA that you understand that you are not compliant, but are requesting limited network access.
The ASA dynamic access policy (DAP) applies a session specific dynamic ACL that limits network access.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 29
Cisco dCloud
OPTIONAL: Optionally, you can see specifically how the ASA limits access. Open PuTTY from the desktop and double click ASAv
Outside Interface to SSH to the ASA. If you are using AnyConnect VPN into the demo itself, you can also do this from your local
machine using an SSH client to 198.18.133.254. Login using the credentials admin/C1sco12345. Type enable to enter enable
mode with the password C1sco12345.
Enter the following commands to explore the per-session dACL being applied.
34. From Wkst1, open Firefox. The Cisco AnyConnect with AMP desktop displays.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 29
Cisco dCloud
35. Click the vertical specific portal icon (healthcare, education, federal or corporate portal).
36. From the portal page, click the General Resources. As an employee on a personal machine, the user can access this
resource.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 29
Cisco dCloud
37. Click the back button on the browser and select Internal Resources. As an employee on a personal machine, the user is
allowed access to the internal resources page.
38. Click the link for Medical Records. The employee is blocked from accessing the records since they are using a non-compliant
corporate machine.
NOTE: The screen shots display the healthcare portal. The Internal Resources and Internal Records links vary for the other three
verticals, but all follow the same general pattern. There is always a General Resources section, an Internal Resources section, and
within the internal resources, an Internal Records type of link. Check Table 2 - Available Portals for information on alternative log in
credentials.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 29
Cisco dCloud
Steps
Cisco ISE has powerful capabilities that can automatically remediate issues, or help the user easily remediate issues on their
machine that are causing non-compliant classifications. At this stage of the demonstration, we have a digital certificate and
watermark file. The AMP for Endpoints connector is NOT running, since it was disabled in the previous scenario. The posture
compliance policy configured in ISE looks for two specific things. First, it looks for the watermark file. Then, it checks to see if the
AMP for Endpoints connector service is running. If either of those things is not true, ISE can remediate these issues.
To show how ISE can help remediate these issues, we will leave the AMP for Endpoints connector service shut down, and run the
toggle watermark program again so that the watermark file is deleted. Going into the ISE posture scenario, ISE flags the machine
as non-compliant because the watermark file is not present, and the AMP for Endpoints connector service is not running.
ISE has many different options for both posture and device remediation. Throughout this demonstration, we take advantage of the
file check and service check posture checks, as well as the file distribution and launch program remediation options.
NOTE: If you have not previously completed Scenario 1—AnyConnect with AMP and ASA Posture, you will need to complete the
Steps 1 through 17 of that scenario before continuing, since this scenario requires a digital certificate, and requires that the AMP
for Endpoints connector software be already installed. If you have already completed Scenario 1, please proceed to Step 1 below.
Before proceeding, ensure that the AMP for Endpoints connector service is stopped. If the AMP for Endpoints connector still shows
green with a status of connected, double-clicking the Stop AMP for Endpoints Connector Service icon on the desktop.
1. From Wkst1, double click Toggle Watermark. A window opens and displays a message that the system is removing the
dCloud watermark.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 29
Cisco dCloud
2. Press any key to continue. The system removes the watermark file and the AMP for Endpoints service is still stopped.
3. In the Cisco AnyConnect Secure Mobility Client window, select ISE Posture to connect.
4. The user is authenticated with two-factor authentication (digital certificate and username/password). AnyConnect pre-
populates the username field with the information from the digital certificate. When prompted, enter C1sco12345 for the
password.
5. Click Accept.
• AnyConnect will install the ISE posture module and it will become visible in AnyConnect.
• AnyConnect ISE posture module will locate the ISE server and start running a scan.
NOTE: The AnyConnect ISE posture module gathers posture information (similar to how host scan works), and allows AnyConnect
and ISE to communicate. This displays as a visible panel to AnyConnect in this scenario. The ISE compliance module is used to
allow ISE to interact with different processes and applications. For example, it can allow ISE to automatically update virus definition
files for many different vendor applications. The compliance modules are constantly updated by ISE so that the information is
always relevant and up to date. The ISE compliance module works in the background and is not visible in AnyConnect.
7. ISE posture module notifies you that there are required updates:
• REQUIREMENT_DCLOUD_WATERMARK
• REQUIREMENT_DCLOUD_FIREAMP
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 29
Cisco dCloud
8. Click Cancel. Click Yes. ISE quarantines the user with limited access.
NOTE: At this point, we will not remediate the system. ISE receives the message that you understand that you are not compliant,
but are requesting limited network access. ISE sends back a dynamic ACL (dACL) to the ASA that is applied to this specific user
VPN session. The dACL limits what resources the user can access.
OPTIONAL: You can see how ISE works with the ASA to limit access. Open PuTTY from the desktop and double click ASAv
Outside Interface to SSH to the ASA. If you are using AnyConnect VPN into the demo itself, you can also do this from your local
machine using an SSH client to 198.18.133.254. Login using the credentials admin/C1sco12345. Type enable to enter enable
mode with the password C1sco12345.
Enter the following commands to explore the per-session dACL that was returned by ISE and applied on the ASA to this specific
VPN session.
access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f line 1 extended deny ip any4 host 198.19.10.48 (hitcnt=0) 0x99447b5a
access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f line 2 extended deny ip any4 host 198.19.10.51 (hitcnt=0) 0x0f1283d7
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 29
Cisco dCloud
access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f line 3 extended deny ip any4 host 198.19.10.54 (hitcnt=0) 0x4744b019
access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f line 4 extended deny ip any4 host 198.19.10.57 (hitcnt=0) 0x46a35a32
9. From Wkst1, open Firefox and click the browser Home button. The Cisco AnyConnect with AMP desktop displays.
10. Click the vertical specific portal icon (healthcare, education, federal or corporate portal).
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 29
Cisco dCloud
11. From the portal page, click the General Resources. The user can access this resource.
12. Click the back button on the browser and select Internal Resources. As an employee with full access, the user can access
the internal resources page.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 29
Cisco dCloud
13. Click the link for Medical Records. ISE limits access to internal records resource and the employee is blocked from accessing
the records since they are using a personal machine.
NOTE: The screen shots display the healthcare portal. The Internal Resources and Internal Records links vary for the other three
verticals, but all follow the same general pattern. There is always a General Resources section, an Internal Resources section, and
within the internal resources, an Internal Records type of link. Check Table 2 - Available Portals for information on alternative log in
credentials.
NOTE: Now that we have properly demonstrated how ISE dynamically limits user access when the machine is non-compliant, we
will connect again and demonstrate how ISE can help remediate the system so that the user can gain full network access.
16. In the Cisco AnyConnect Secure Mobility Client window, select ISE Posture to connect again.
17. The user is authenticated with two-factor authentication (digital certificate and username/password). AnyConnect pre-
populates the username field with the information from the digital certificate. When prompted, enter C1sco12345 for the
password.
19. ISE again finds two required updates. Click the Start button on the popup to remediate.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 29
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 29
Cisco dCloud
20. When prompted, save the dcloud_watermark.txt file to the C: drive by clicking Save.
NOTE: For the watermark requirement, ISE uses the file check option to check the posture of the machine by looking to see if the
watermark file is present and in the right location. It is using the File distribution remediation option to push the watermark file to the
workstation.
NOTE: For the AMP for Endpoints requirement, ISE uses the service check option to check the posture of the machine by
checking if the AMP for Endpoints connector windows service is running. ISE uses the launch program remediation option to
remediation the issue. If ISE detects that the AMP for Endpoints connector service is not running, it calls a .bat file on the
workstation that starts the proper service.
23. The AMP for Endpoints service starts and the AMP for Endpoints connector displays green with a status of connected.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 29
Cisco dCloud
NOTE: It may take a few moments for the AMP for Endpoints connector to change to green with a status of Connected. ISE has
now given the compliant machine full network access.
24. From Wkst1, open Firefox. The Cisco AnyConnect with AMP desktop displays.
25. Click the vertical specific portal icon (healthcare, education, federal or corporate portal).
26. Select Internal Resources. As an employee with full access, the user can access the internal resources page.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 29
Cisco dCloud
27. Click the link for Medical Records. ISE allows access to internal records resource and the employee has full access.
NOTE: The screen shots display the healthcare portal. The Internal Resources and Internal Records links vary for the other three
verticals, but all follow the same general pattern. There is always a General Resources section, an Internal Resources section, and
within the internal resources, an Internal Records type of link. Check Table 2 - Available Portals for information on alternative log in
credentials.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 29
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 29