Back
Lesson 4 of 6

Remediation Actions

Objective

In this lesson you will configure remediation actions for non‑compliant endpoints in Cisco ISE Posture: file remediation (deploying a script or executable to a client), link remediation (redirecting users to a Client Provisioning / remediation portal), and message remediation (displaying a user message). Remediation is critical in production because it automates returning endpoints to a secure state and reduces help‑desk load. Real‑world example: when a laptop fails an antivirus check, ISE redirects the user to a remediation portal that pushes an AV installer or shows step‑by‑step instructions until compliance is achieved.

Quick Recap

This lesson continues the Lab 35 topology used in Lesson 1. No new routers or switches are added for this lesson — we focus on the ISE Posture server(s), the AnyConnect posture resources delivered by the VPN headend (ASA/FTD) where applicable, and the client machine.

Note: this lesson uses the exact resource paths and service port referenced in the provided material: posture script locations on endpoints and server paths, and communication over TCP port 8443. Domain names used in examples: lab.nhprep.com.

ASCII Topology (focus on posture/resource flow)

[Client] ----------------- (HTTPS/8443) ----------------- [ISE-PSN / Posture Service]
   |                                                          |
   |  (downloads script to                             (hosts Posture resources,
   |   %LOCALAPPDATA%\Cisco\Cisco Anyconnect               provides Posture Assessment
   |   Secure Mobility Client\scripts)                     Reports and remediation)
   |
[ASA/FTD AnyConnect Headend] --- (pushes posture resources) --- [ISE-PSN]

All posture client script install paths referenced in this lesson:

  • Windows client download target (local): %LOCALAPPDATA%\Cisco\Cisco Anyconnect Secure Mobility Client\scripts
  • Windows client alternate all-users: %ALLUSERPROFILE%\Cisco\Cisco Anyconnect Secure Mobility Client\ISE Posture\scripts
  • Linux client target: ~/.cisco/iseposture/scripts or /opt/cisco/anyconnect/iseposture/scripts

Key Concepts

  • Posture Remediation Types
    • File remediation: the NAD (ASA/FTD) or ISE makes a remediation file (script, installer) available for client download and execution. Use when you can reliably push or let the client pull an installer (e.g., AV client).
    • Link remediation: the client is redirected to a remediation portal (Client Provisioning Portal) where downloads, instructions, or interactive remediation occur.
    • Message remediation: a simple instruction or policy message is displayed to the user (e.g., “Contact helpdesk”).
  • Where resources live and how they are delivered
    • ISE hosts posture reports and can host or link to remediation resources. ASA/FTD can also push AnyConnect posture resources to the client (note: ASA/FTD pushes resources; it does not install a compliance module on the ASA itself).
  • Script behavior and verification
    • Posture scripts may be PowerShell (.ps1) or shell (.sh). ISE and NADs expect scripts to return an exit code between 0 and 255; exit codes <0 are predefined errors, >0 can be user‑defined. ISE treats 0 as success (compliant) by convention.
  • Network considerations
    • If TCP 8443 (or whatever management/data port you use) is blocked between the client and ISE/PSN, posture cannot complete — capture logs and verify that packets on port 8443 traverse your devices.
  • Analogy: Think of remediation as a targeted “first-aid kit” delivered to the device — some kits are delivered (file remediation), some are instructions and links (link remediation), and some are just a notice telling the user to seek help (message remediation).

Step-by-step configuration

Each step below contains commands, explanations, WHY they matter, and verification with expected output. Commands manipulate resource files on the posture web host (ISE file hosting or the ASA/FTD web resources) and verify availability and integrity. Adjust hostnames to your environment (examples use ise.lab.nhprep.com and lab.nhprep.com).

Step 1: Prepare Posture Script and Host It

What we are doing: create the remediation script (PowerShell or shell), place it where ISE or the NAD can serve it, and compute its SHA‑256 hash so ISE can verify integrity. This ensures the client downloads the exact file expected and prevents tampering.

# On the Posture resource host (ISE PSN webhost or dedicated web server)
mkdir -p /var/www/html/iseposture/scripts
cat > /var/www/html/iseposture/scripts/ise_remediate.ps1 <<'EOF'
# Simple placeholder PowerShell script for example
# Return 0 on success (compliant), non-zero for remediation required
Write-Output "Running ISE remediation script..."
# Simulate remediation steps here
exit 0
EOF

# Compute SHA-256
sha256sum /var/www/html/iseposture/scripts/ise_remediate.ps1 > /var/www/html/iseposture/scripts/ise_remediate.ps1.sha256

What just happened:

  • mkdir -p created a directory in the web root where posture resources are hosted.
  • The heredoc wrote a simple PowerShell script that returns exit code 0 (indicating success).
  • sha256sum generated a SHA‑256 checksum file that ISE can use to verify the script hash before instructing clients to use it. Hash verification prevents clients from running tampered code.

Real-world note: Host the remediation files on a hardened web server or the ISE appliance webroot; ensure HTTPS and correct certificates to avoid MITM and to pass client TLS checks.

Verify:

# Verify the file exists and check contents and hash
ls -l /var/www/html/iseposture/scripts/
cat /var/www/html/iseposture/scripts/ise_remediate.ps1
cat /var/www/html/iseposture/scripts/ise_remediate.ps1.sha256

Expected output:

-rw-r--r-- 1 root root 123 Apr 1 12:00 ise_remediate.ps1
-rw-r--r-- 1 root root  64 Apr 1 12:00 ise_remediate.ps1.sha256
Running ISE remediation script...
# (script content shown)
d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2  /var/www/html/iseposture/scripts/ise_remediate.ps1

Step 2: Make Remediation Resource Reachable via HTTPS/8443

What we are doing: serve the remediation script over HTTPS on the posture web service and ensure accessibility on the port used for posture communication (TCP 8443). If ASA/FTD is in the path, ensure it can reach and/or push the resource.

# Verify HTTPS connectivity to the posture resource (from a client or testing host)
curl -vk https://ise.lab.nhprep.com:8443/iseposture/scripts/ise_remediate.ps1 --cacert /etc/ssl/certs/ise_lab_nhprep_com.pem -o /tmp/ise_remediate.ps1

What just happened:

  • curl attempts to download the remediation script over HTTPS on port 8443 from ise.lab.nhprep.com. Using the CA cert ensures TLS verification. This verifies both service availability and port reachability; posture traffic commonly uses 8443 and must be allowed end‑to‑end.

Real-world note: In many production setups ASA/FTD and ISE communicate posture resources over specific ports; a local firewall or third‑party appliance blocking 8443 will break posture. When troubleshooting, capture traffic and verify 8443 connectivity.

Verify:

# Confirm the downloaded file and check the hash matches the hosted sha256
ls -l /tmp/ise_remediate.ps1
sha256sum /tmp/ise_remediate.ps1
cat /var/www/html/iseposture/scripts/ise_remediate.ps1.sha256

Expected output:

-rw-r--r-- 1 root root 123 Apr 1 12:01 /tmp/ise_remediate.ps1
d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2  /tmp/ise_remediate.ps1
d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2  /var/www/html/iseposture/scripts/ise_remediate.ps1

Step 3: Configure ISE Posture Policy to Reference the Resource (File Remediation)

What we are doing: configure the ISE Posture policy to reference the hosted remediation file and the SHA‑256. This ties the posture requirement to an actual file the client can retrieve. (In GUI this is where you create a Posture requirement that uses a Script/Remediation action; in the backend you reference the URL and the SHA‑256.)

# Example CLI-like representation: register resource URL and SHA in ISE posture repository (conceptual)
# In practice: use ISE Admin GUI -> Posture -> Posture Policies -> Add Remediation -> File (point to https://ise.lab.nhprep.com:8443/iseposture/scripts/ise_remediate.ps1)
# We demonstrate a verification curl to show the resource is reachable (ISE will do similar checks)
curl -I -k https://ise.lab.nhprep.com:8443/iseposture/scripts/ise_remediate.ps1

What just happened:

  • The posture policy will reference the hosted URL and expected SHA‑256. ISE uses the SHA to ensure the downloaded file matches exactly what you intended. The curl -I verifies that the HTTP server responds (headers and status) so ISE and clients can download the file.

Real-world note: Keep the hosted remediation URL stable. If you change a file, update the SHA in ISE. Mismatch between SHA in ISE and the file on the host results in download rejection and failed remediation.

Verify:

# Check HTTP/HTTPS status header
curl -I -k https://ise.lab.nhprep.com:8443/iseposture/scripts/ise_remediate.ps1

Expected output (HTTP/HTTPS headers):

HTTP/1.1 200 OK
Date: Thu, 01 Apr 2026 12:02:00 GMT
Server: nginx/1.18.0
Content-Type: application/octet-stream
Content-Length: 123
Last-Modified: Thu, 01 Apr 2026 12:00:00 GMT
Connection: keep-alive

Step 4: Configure Link Remediation (Client Provisioning Portal)

What we are doing: create a Client Provisioning / remediation portal and a link remediation action that redirects non‑compliant clients to that portal. The portal hosts instructions, files, and a status page where clients re‑check posture.

# Place portal files in webroot
mkdir -p /var/www/html/clientprovision
cat > /var/www/html/clientprovision/index.html <<'EOF'
<html><body>
<h1>ISE Client Provisioning - NHPREP</h1>
<p>Follow the instructions to remediate your device.</p>
<a href="/iseposture/scripts/ise_remediate.ps1">Download remediation script</a>
</body></html>
EOF

# Verify portal is reachable
curl -k https://ise.lab.nhprep.com:8443/clientprovision/index.html -o /tmp/clientprovision.html

What just happened:

  • Portal files were created under a web path that the link remediation action will target. When ISE returns a redirect rule to the NAD (or directly issues a redirect during posture), clients are sent to this URL to download remediation files or follow instructions.

Real-world note: Use redirect chaining carefully — users must be able to reach the portal before posture times out. Make the portal content clear for end users and include a status/refresh mechanism.

Verify:

# Confirm portal HTML is present and contains expected link
cat /tmp/clientprovision.html

Expected output:

<html><body>
<h1>ISE Client Provisioning - NHPREP</h1>
<p>Follow the instructions to remediate your device.</p>
<a href="/iseposture/scripts/ise_remediate.ps1">Download remediation script</a>
</body></html>

Step 5: Configure Message Remediation and Test Posture Flow

What we are doing: create a simple message remediation action in ISE that displays a user‑facing message when remediation is required (e.g., “Your antivirus is out of date — contact helpdesk”). Then simulate a posture failure and ensure the assessment report shows the remediation applied and the session state.

# Conceptual verification: show that posture assessment report contains remediation action
# In production: check ISE GUI -> Operations -> Reports -> Posture Assessment Report for the endpoint
# For our verification, simulate viewing the Posture Assessment Report file (example JSON/text dump)
cat /var/log/ise/posture_assessment_example.log

What just happened:

  • The ISE Posture Assessment Report contains lines indicating matched posture policies and remediation actions. Message remediation does not push files; instead, ISE returns a message string to the NAC/NAD which the client provisioning mechanism (or anyconnect) will present.

Real-world note: Message remediation is useful when IT wants to require manual intervention (e.g., when system reboots or admin approval is needed) or to direct users to contact support.

Verify:

# Example excerpt from a Posture Assessment Report (expected content)
cat /var/log/ise/posture_assessment_example.log

Expected output:

Timestamp: 2026-04-01T12:05:00Z
Endpoint: host123.lab.nhprep.com
PostureResult: Non-Compliant
MatchedPosturePolicies: WindowsAVCheck, DiskEncryptionCheck
RemediationActions:
 - FileRemediation: https://ise.lab.nhprep.com:8443/iseposture/scripts/ise_remediate.ps1 SHA256=d2d2d2...
 - LinkRemediation: https://ise.lab.nhprep.com:8443/clientprovision/index.html
 - MessageRemediation: "Please contact NHPREP Helpdesk at x123 or follow the remediation portal instructions."
LastScanTime: 2026-04-01T12:04:58Z

Verification Checklist

  • Check 1: Resource file is hosted and reachable via HTTPS on TCP/8443 — verify with curl -I -k https://ise.lab.nhprep.com:8443/iseposture/scripts/ise_remediate.ps1 and expect HTTP/1.1 200 OK.
  • Check 2: SHA‑256 of hosted file matches the SHA recorded in ISE Posture requirement — verify with sha256sum on both hosted file and downloaded file; expect identical hashes.
  • Check 3: Posture Assessment Report shows Non‑Compliant with remediation entries — verify by examining the ISE Posture Assessment Report (Operations -> Posture Assessment Report) and expect entries for FileRemediation, LinkRemediation, and MessageRemediation as shown above.

Common Mistakes

SymptomCauseFix
Client stuck in “Pending” posture; no remediation startsTCP/port 8443 blocked between client/NAD and ISE PSNVerify network path and firewall rules; allow TCP 8443. Capture traffic to confirm (packets must traverse).
Client downloads file but remediation fails or shows unknown resultScript exit code invalid or not in 0–255 range; script requires elevated privilegesEnsure script returns a valid exit code (0 for success). If elevated rights are needed, provide instructions or use an installer that escalates correctly.
SHA mismatch between ISE and hosted scriptFile updated on host but SHA not updated in ISE posture resourceRecalculate SHA‑256 and update the posture resource configuration in ISE to match the new hash.
AnyConnect resources not delivered to clientASA/FTD and ISE versions mismatch or defer update settings cause failed pushEnsure compatible AnyConnect versions as per your NAD recommendations. If ISE > ASA/FTD, check compatibility; follow proper update ordering.

Key Takeaways

  • Remediation actions are how ISE moves an endpoint from non‑compliant to compliant; three common methods are file, link, and message remediation.
  • Always host remediation files over a secure, reachable HTTPS endpoint (port 8443 in many posture architectures). Blocked ports are the most common cause of posture failure.
  • Use SHA‑256 file hashing to guarantee the integrity of remediation scripts and update the hash in ISE whenever the hosted file changes.
  • In production, coordinate AnyConnect/ASA/FTD and ISE versions and test remediation flows end‑to‑end with sample clients; capture posture assessment reports and logs to confirm behavior.

Tip: During go‑live, monitor the Posture Assessment Reports and Live Logs in ISE closely to detect redirect failures or missing remediation artifacts. Keep remediation scripts and portal content accessible and clear for end users to reduce support calls.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security