Cisco dCloud

Cisco AnyConnect Posture with ASA, ISE and AMP v1.2

Last Updated: 10-JUNE-2021

IMPORTANT! This content is community developed and is not subject to standard dCloud verification or support. Please
contact dCloud Support for more information.

About This Demonstration

This guide for the preconfigured demonstration includes:

• Requirements

• About This Solution

• Topology

• Get Started

• Scenario 1: AnyConnect with AMP and ASA Posture

• Scenario 2: AnyConnect with AMP and ISE Posture

Requirements
The table below outlines the requirements for this preconfigured demonstration.

Table 1. Requirements

Required Optional

● Laptop ● Cisco AnyConnect

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 29
 Cisco dCloud

About This Solution

Cisco AnyConnect empowers your employees to work from anywhere, on corporate laptops as well as personal mobile devices,
regardless of physical location. It provides the security necessary to help keep your organization’s data safe and protected.

Cisco AnyConnect now adds an optional AMP enabler which allows AnyConnect to easily turn on AMP for endpoints capabilities to
obtain additional threat protection. AMP is a malware-defeating solution that takes advantage of Talos and its vast cloud security
intelligence network. It delivers protection across the attack continuum—before, during, and after an attack—with malware
detection and blocking, continuous analysis, and retrospective alerting. Users can block more attacks, track suspicious files,
mitigate the scope of an outbreak, and remediate faster.

For additional information about Cisco AnyConnect, visit http://www.cisco.com/go/anyconnect

For additional information about Cisco Advanced Malware Protection, visit http://www.cisco.com/go/amp.

Configuration
This demonstration contains preconfigured users and components to illustrate the scripted scenarios. All access information
needed to complete the demonstration is listed throughout the demonstration guide.

Table 2. Available Portals

Scenario / Vertical General Resources (All) Internal Resources Internal Records

Healthcare For Patients and Families For Healthcare Professionals Medical Records / Insurance Server

Education For Students and Guests For Faculty/Educators Student Records / Student Contacts

Federal For Visitors For Federal Agents Background Records / Human Resource Server

Corporate For Customers and Guests For Corporate Employees Corporate Financial Records / HR Records

Table 3. Credentials and Access Levels

Scenario / Vertical Username Password

Healthcare doctor C1sco12345

Education dean C1sco12345

Federal captain C1sco12345

Corporate manager C1sco12345

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 29
 Cisco dCloud

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.

Figure 1. dCloud Topology

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 29
 Cisco dCloud

Get Started
BEFORE PRESENTING

Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front
of a live audience. This will allow you to become familiar with the structure of the document and content.

It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Initiate your dCloud session. [Show Me How]

NOTE: It may take up to 10 minutes for your session to become active.

2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]

• Workstation 1: 198.18.133.36, Username: administrator, Password: C1sco12345

NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 29
 Cisco dCloud

Scenario 1. AnyConnect with AMP and ASA Posture

In this scenario, we focus on the AnyConnect client and demonstrate the following features:

• ASA host scan with pre-login policies to identify corporate or non-corporate assets

• Dynamic Access Policies (DAP) to limit access based on user identity and posture

• AnyConnect Web Launch

• AnyConnect Auto Upgrade

• AnyConnect AMP for Endpoints Enabler Module and AMP for Endpoints integration

• Certificate Enrollment using ASA SCEP Proxy

Steps
This scenario classifies WKST1 as a corporate asset by the ASA. We will run a bat file on the desktop that adds the dCloud
watermark file. When the ASA host scan pre-login policy detects this watermark file, it will classify the machine as a corporate
asset.

NOTE: If you have already completed the AnyConnect with AMP and ISE Posture scenario, skip to Step 18.

1. From Wkst1, double click Toggle Watermark. A window opens and displays a message that the system is creating a dCloud
watermark.

Figure 2. Toggle Watermark

2. Press any key to close the window.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 29
 Cisco dCloud

3. From Wkst1, open Firefox. The Cisco AnyConnect with AMP desktop displays.

Figure 3. Cisco AnyConnect with AMP

4. Select ASAv from the bookmarks. This runs the Cisco Secure Desktop and leads to a login page. Log in using specific vertical
credentials, that is username: doctor, dean, captain or manager and password: C1sco12345.

5. Click Continue on the welcome banner. This displays the dCloud contractor VPN Portal.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 29
 Cisco dCloud

6. Click the yellow exclamation point. The message indicates that the user is an employee on a non-compliant corporate
device. Click Close.

NOTE: The machine is classified as non-compliant because it does not yet have the AMP for Endpoints connector software
installed and running. AnyConnect provisions the AMP for Endpoints connector software later in this demo. If you have previously
completed the scenario using ISE posture, and AMP for Endpoints connector is already installed and running, the ASA classifies
the machine as compliant.

Figure 4. Yellow Exclamation Point and Message

NOTE: AnyConnect is an option, since you are now classified as an employee on a corporate asset as opposed to on a non-
corporate asset. You now have the ability to launch and connect using AnyConnect or clientless VPN.

7. Click AnyConnect in the left column.

8. Click Start AnyConnect to start AnyConnect.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 29
 Cisco dCloud

Figure 5. Start AnyConnect

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 29
 Cisco dCloud

9. Minimize Firefox. As AnyConnect starts, a number of processes run in quick sequence:

• AnyConnect upgrades itself. (AnyConnect Auto Upgrade)

• AnyConnect installs the ASA posture module.

• Certificate enrollment occurs using SCEP proxy.

• The AMP enabler module is installed, downloading and installing the AMP for Endpoints connector software.

NOTE: AnyConnect uses the AMP enabler module to download and install the AMP for Endpoints connector software. The
AMP for Endpoints connector installer file is hosted on a machine internal to your environment, in this case the Linux Web
Portals machine. The AnyConnect ASA posture module is not visible. It runs behind the scenes, working with AnyConnect to
deliver posture information about the workstation so that the ASA DAP rules can make the correct access decisions based on that
posture information.

The AMP enabler module delays the download and installation of AMP for Endpoints until AFTER the upgrade, after the certificate
is obtained, and after the user reconnects and is fully up on the VPN.

10. The Certificate Enrollment process prompts the user for a certificate username. Enter in the same vertical username (doctor,
dean, captain or manager).

NOTE: If a popup box appears that reads Quarantined - Remediation Required (along with Disconnect and Ignore options), do
not click on anything. This box will disappear and the certificate enrollment box will prompt for the certificate username.

11. Click Enroll. Once the enrollment is complete, you are disconnected. Click OK on the popup box informing you certificate
enrollment succeeded.

NOTE: AnyConnect requests and obtains a digital certificate, and then disconnects and reconnects. When it reconnects, two-factor
authentication authenticates the user, using both the recently obtained certificate, and the username/password. If the AnyConnect
client does not reconnect automatically after obtaining the digital certificate, and prompt you for a username and password,
manually connect back to the asav.dcloud.cisco.com group using the AnyConnect client.

12. AnyConnect prompts you for a username and password. Enter the same vertical username (doctor, dean, captain or
manager) and C1sco12345 for the password.

13. Click Accept in the pop-up window.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 29
 Cisco dCloud

14. Click Ignore on the Quarantined dialog box.

NOTE: The AnyConnect software is upgraded, the AMP enabler and ASA posture modules have been installed, and the AMP
enabler module is actively downloading and installing the AMP for Endpoints connector software. Once you connect to the VPN in
the quarantined state, the AMP for Endpoints connector download starts. The download and installation process takes about 2
minutes to complete.

At this particular moment, the ASA will allow quarantined access to the network. It allows all the software upgrades and
installations to finish before continuing on to the next section that deals with posture. Once the AMP for Endpoints connector
downloads and installs, we will disconnect from the VPN and connect back in using the ASA Posture group to show the ASA
posture capabilities.

15. When the AMP for Endpoints connector software finishes installing, it will automatically open, and you will see a shortcut on
the desktop.

Figure 6. AMP for Endpoints Connector Icon

16. Cisco AMP for Endpoints displays. The checkmark icon should be green and read Connected. It may take up to a minute for
the status to move from not connected to connected.

Figure 7. AMP for Endpoints

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 29
 Cisco dCloud

17. In the Cisco AnyConnect Secure Mobility Client window, click Disconnect.

18. In the Cisco AnyConnect Secure Mobility Client window, click the dropdown arrow and select ASA Posture to connect.

19. The user is authenticated with two-factor authentication (digital certificate and username/password). AnyConnect pre-
populates the username field with the information from the digital certificate. When prompted, enter C1sco12345 for the
password.

20. Click Accept.

21. Once connected, the AnyConnect popup box notifies you that as an employee on a compliant corporate owned asset, you
have FULL access to the network. Click OK on the popup box.

Figure 8. AnyConnect Full Access

22. From Wkst1, open Firefox and click the Home button in the browser. The Cisco AnyConnect with AMP desktop displays.

23. Click the vertical specific portal icon (healthcare, education, federal or corporate portal).

Figure 9. Demonstration Portals

24. From the portal page, click the General Resources. As an employee with full access, the user can access this resource.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 29
 Cisco dCloud

Figure 10. General Resources

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 29
 Cisco dCloud

25. Click the back button on the browser and select Internal Resources. As an employee with full access, the user can access
the internal resources page.

Figure 11. Internal Resources

26. Click the link for Medical Records. As an employee with full access, the user can access the medical records page.

NOTE: The screen shots display the healthcare portal. The Internal Resources and Internal Records links vary for the other three
verticals, but all follow the same general pattern. There is always a General Resources section, an Internal Resources section, and
within the internal resources, an Internal Records type of link. Check Table 2 - Available Portals for information on alternative log in
credentials.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 29
 Cisco dCloud

Figure 12. Medical Records

27. Click X to close Firefox.

28. Disconnect from AnyConnect.

NOTE: The ASA allowed full access to the network for employees on compliant corporate owned assets. The ASA determines that
a machine is a corporate-owned asset if it has a digital certificate signed by the dCloud CA with dCloud identified as the
organizational unit, or if it has the watermark file. The ASA determines compliance by using the host scan to check and see if the
AMP for Endpoints connector is running. If the correct process is running, the machine is determined to be compliant. If the correct
AMP for Endpoints process is not running, the machine is determined to be non-compliant.

29. Click Stop FireAMP for Endpoints Connector Service on the desktop. This stops the AMP for Endpoints connector service,
and the AMP for Endpoints connector software changes to red. The status changes to Service Stopped.

NOTE: The machine is now non-compliant.

Figure 13. Stop FireAMP for Endpoints Connector Service

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 29
 Cisco dCloud

Figure 14. Cisco AMP for Endpoints Service Stopped

30. In the Cisco AnyConnect Secure Mobility Client window, select ASA Posture to connect.

31. The user is authenticated with two-factor authentication (digital certificate and username/password). AnyConnect pre-
populates the username field with the information from the digital certificate. When prompted, enter C1sco12345 for the
password.

32. Click Accept.

33. Once connected, the AnyConnect popup box notifies you that as an employee on a non-compliant corporate owned asset, you
have LIMITED access to the network. Click Ignore on the popup box.

Figure 15. Non-Compliant ASA Posture

NOTE: Clicking Ignore tells the ASA that you understand that you are not compliant, but are requesting limited network access.
The ASA dynamic access policy (DAP) applies a session specific dynamic ACL that limits network access.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 29
 Cisco dCloud

OPTIONAL: Optionally, you can see specifically how the ASA limits access. Open PuTTY from the desktop and double click ASAv
Outside Interface to SSH to the ASA. If you are using AnyConnect VPN into the demo itself, you can also do this from your local
machine using an SSH client to 198.18.133.254. Login using the credentials admin/C1sco12345. Type enable to enter enable
mode with the password C1sco12345.

Enter the following commands to explore the per-session dACL being applied.

ASAv# show vpn-sessiondb detail anyconnect | i Filter

Filter Name : DAP-ip-user-80185A0E
Filter Name : DAP-ip-user-80185A0E

ASAv# show access-list DAP-ip-user-80185A0E

access-list DAP-ip-user-80185A0E; 5 elements; name hash: 0x553a4eed (dynamic)
access-list DAP-ip-user-80185A0E line 1 extended deny ip any host 198.19.10.48 (hitcnt=0) 0x6cd61596
access-list DAP-ip-user-80185A0E line 2 extended deny ip any host 198.19.10.51 (hitcnt=0) 0x83cbb426
access-list DAP-ip-user-80185A0E line 3 extended deny ip any host 198.19.10.54 (hitcnt=0) 0x74c1e6a4
access-list DAP-ip-user-80185A0E line 4 extended deny ip any host 198.19.10.57 (hitcnt=0) 0x4585d996
access-list DAP-ip-user-80185A0E line 5 extended permit ip any any (hitcnt=0) 0x9f5a52a5

34. From Wkst1, open Firefox. The Cisco AnyConnect with AMP desktop displays.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 29
 Cisco dCloud

35. Click the vertical specific portal icon (healthcare, education, federal or corporate portal).

Figure 16. Demonstration Portals

36. From the portal page, click the General Resources. As an employee on a personal machine, the user can access this
resource.

Figure 17. General Resources

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 29
 Cisco dCloud

37. Click the back button on the browser and select Internal Resources. As an employee on a personal machine, the user is
allowed access to the internal resources page.

Figure 18. Internal Resources

38. Click the link for Medical Records. The employee is blocked from accessing the records since they are using a non-compliant
corporate machine.

NOTE: The screen shots display the healthcare portal. The Internal Resources and Internal Records links vary for the other three
verticals, but all follow the same general pattern. There is always a General Resources section, an Internal Resources section, and
within the internal resources, an Internal Records type of link. Check Table 2 - Available Portals for information on alternative log in
credentials.

39. Click X to close Firefox.

40. Disconnect from AnyConnect.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 29
 Cisco dCloud

Scenario 2. AnyConnect with AMP and ISE Posture

In this scenario, you will demonstrate how to use the Cisco Identity Services Engine (ISE) to handle the posture and network
authorization, as opposed to the ASA host scan and DAP policies demonstrated in the previous scenario.

Steps
Cisco ISE has powerful capabilities that can automatically remediate issues, or help the user easily remediate issues on their
machine that are causing non-compliant classifications. At this stage of the demonstration, we have a digital certificate and
watermark file. The AMP for Endpoints connector is NOT running, since it was disabled in the previous scenario. The posture
compliance policy configured in ISE looks for two specific things. First, it looks for the watermark file. Then, it checks to see if the
AMP for Endpoints connector service is running. If either of those things is not true, ISE can remediate these issues.

To show how ISE can help remediate these issues, we will leave the AMP for Endpoints connector service shut down, and run the
toggle watermark program again so that the watermark file is deleted. Going into the ISE posture scenario, ISE flags the machine
as non-compliant because the watermark file is not present, and the AMP for Endpoints connector service is not running.

ISE has many different options for both posture and device remediation. Throughout this demonstration, we take advantage of the
file check and service check posture checks, as well as the file distribution and launch program remediation options.

NOTE: If you have not previously completed Scenario 1—AnyConnect with AMP and ASA Posture, you will need to complete the
Steps 1 through 17 of that scenario before continuing, since this scenario requires a digital certificate, and requires that the AMP
for Endpoints connector software be already installed. If you have already completed Scenario 1, please proceed to Step 1 below.

Before proceeding, ensure that the AMP for Endpoints connector service is stopped. If the AMP for Endpoints connector still shows
green with a status of connected, double-clicking the Stop AMP for Endpoints Connector Service icon on the desktop.

1. From Wkst1, double click Toggle Watermark. A window opens and displays a message that the system is removing the
dCloud watermark.

Figure 19. Toggle Watermark – Removal

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 29
 Cisco dCloud

2. Press any key to continue. The system removes the watermark file and the AMP for Endpoints service is still stopped.

3. In the Cisco AnyConnect Secure Mobility Client window, select ISE Posture to connect.

4. The user is authenticated with two-factor authentication (digital certificate and username/password). AnyConnect pre-
populates the username field with the information from the digital certificate. When prompted, enter C1sco12345 for the
password.

5. Click Accept.

6. As AnyConnect starts, a number of processes run in quick sequence:

• AnyConnect will install the ISE posture module and it will become visible in AnyConnect.

• AnyConnect will install the ISE compliance module.

• AnyConnect ISE posture module will locate the ISE server and start running a scan.

NOTE: The AnyConnect ISE posture module gathers posture information (similar to how host scan works), and allows AnyConnect
and ISE to communicate. This displays as a visible panel to AnyConnect in this scenario. The ISE compliance module is used to
allow ISE to interact with different processes and applications. For example, it can allow ISE to automatically update virus definition
files for many different vendor applications. The compliance modules are constantly updated by ISE so that the information is
always relevant and up to date. The ISE compliance module works in the background and is not visible in AnyConnect.

7. ISE posture module notifies you that there are required updates:

• REQUIREMENT_DCLOUD_WATERMARK

• REQUIREMENT_DCLOUD_FIREAMP

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 29
 Cisco dCloud

Figure 20. Required Updates

8. Click Cancel. Click Yes. ISE quarantines the user with limited access.

NOTE: At this point, we will not remediate the system. ISE receives the message that you understand that you are not compliant,
but are requesting limited network access. ISE sends back a dynamic ACL (dACL) to the ASA that is applied to this specific user
VPN session. The dACL limits what resources the user can access.

OPTIONAL: You can see how ISE works with the ASA to limit access. Open PuTTY from the desktop and double click ASAv
Outside Interface to SSH to the ASA. If you are using AnyConnect VPN into the demo itself, you can also do this from your local
machine using an SSH client to 198.18.133.254. Login using the credentials admin/C1sco12345. Type enable to enter enable
mode with the password C1sco12345.

Enter the following commands to explore the per-session dACL that was returned by ISE and applied on the ASA to this specific
VPN session.

ASAv# show vpn-sessiondb detail anyconnect | i Filter

Filter Name : #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f
Filter Name : #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f

ASAv# sh access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f

access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f; 5 elements; name hash: 0xc3099dff (dynamic)

access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f line 1 extended deny ip any4 host 198.19.10.48 (hitcnt=0) 0x99447b5a

access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f line 2 extended deny ip any4 host 198.19.10.51 (hitcnt=0) 0x0f1283d7

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 29
 Cisco dCloud

access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f line 3 extended deny ip any4 host 198.19.10.54 (hitcnt=0) 0x4744b019

access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f line 4 extended deny ip any4 host 198.19.10.57 (hitcnt=0) 0x46a35a32

access-list #ACSACL#-IP-NON_COMPLIANT_ACCESS-5543e17f line 5 extended permit ip any4 any4 (hitcnt=0) 0xbb4cb5cb

9. From Wkst1, open Firefox and click the browser Home button. The Cisco AnyConnect with AMP desktop displays.

10. Click the vertical specific portal icon (healthcare, education, federal or corporate portal).

Figure 21. Demonstration Portals

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 29
 Cisco dCloud

11. From the portal page, click the General Resources. The user can access this resource.

Figure 22. General Resources

12. Click the back button on the browser and select Internal Resources. As an employee with full access, the user can access
the internal resources page.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 29
 Cisco dCloud

Figure 23. Internal Resources

13. Click the link for Medical Records. ISE limits access to internal records resource and the employee is blocked from accessing
the records since they are using a personal machine.

NOTE: The screen shots display the healthcare portal. The Internal Resources and Internal Records links vary for the other three
verticals, but all follow the same general pattern. There is always a General Resources section, an Internal Resources section, and
within the internal resources, an Internal Records type of link. Check Table 2 - Available Portals for information on alternative log in
credentials.

14. Click X to close Firefox.

15. Disconnect from AnyConnect.

NOTE: Now that we have properly demonstrated how ISE dynamically limits user access when the machine is non-compliant, we
will connect again and demonstrate how ISE can help remediate the system so that the user can gain full network access.

16. In the Cisco AnyConnect Secure Mobility Client window, select ISE Posture to connect again.

17. The user is authenticated with two-factor authentication (digital certificate and username/password). AnyConnect pre-
populates the username field with the information from the digital certificate. When prompted, enter C1sco12345 for the
password.

18. Click Accept.

19. ISE again finds two required updates. Click the Start button on the popup to remediate.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 29
 Cisco dCloud

Figure 24. Start Button and Updates

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 29
 Cisco dCloud

20. When prompted, save the dcloud_watermark.txt file to the C: drive by clicking Save.

NOTE: For the watermark requirement, ISE uses the file check option to check the posture of the machine by looking to see if the
watermark file is present and in the right location. It is using the File distribution remediation option to push the watermark file to the
workstation.

Figure 25. dcloud_watermark.txt

21. Click Cancel at the prompt to open folder location.

22. Click Start to remediate the second issue, REQUIREMENT_DCLOUD_FIREAMP

NOTE: For the AMP for Endpoints requirement, ISE uses the service check option to check the posture of the machine by
checking if the AMP for Endpoints connector windows service is running. ISE uses the launch program remediation option to
remediation the issue. If ISE detects that the AMP for Endpoints connector service is not running, it calls a .bat file on the
workstation that starts the proper service.

23. The AMP for Endpoints service starts and the AMP for Endpoints connector displays green with a status of connected.

Figure 26. Cisco AMP for Endpoints Connected

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 29
 Cisco dCloud

NOTE: It may take a few moments for the AMP for Endpoints connector to change to green with a status of Connected. ISE has
now given the compliant machine full network access.

24. From Wkst1, open Firefox. The Cisco AnyConnect with AMP desktop displays.

25. Click the vertical specific portal icon (healthcare, education, federal or corporate portal).

Figure 27. Demonstration Portals

26. Select Internal Resources. As an employee with full access, the user can access the internal resources page.

Figure 28. Internal Resources

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 29
 Cisco dCloud

27. Click the link for Medical Records. ISE allows access to internal records resource and the employee has full access.

NOTE: The screen shots display the healthcare portal. The Internal Resources and Internal Records links vary for the other three
verticals, but all follow the same general pattern. There is always a General Resources section, an Internal Resources section, and
within the internal resources, an Internal Records type of link. Check Table 2 - Available Portals for information on alternative log in
credentials.

Figure 29. Full Access

28. Click X to close Firefox.

29. Disconnect from AnyConnect.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 29
 Cisco dCloud

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 29