Phase 5: Lab Validation

Phase 5: Lab Validation

Lab Environment Requirements

  • ASA (physical or ASAv) with AnyConnect image

  • ISE 3.2 node with admin access

  • Entra ID test tenant (or dev app registration in prod tenant)

  • AnyConnect test client (Windows + macOS minimum)

  • Network path: client → ASA → ISE → internet (login.microsoftonline.com)

Test Cases

# Test Expected Result Status

1

AnyConnect connects, SAML redirect to Entra login

Microsoft login page appears in embedded browser

[ ]

2

Valid credentials + MFA → VPN established

Tunnel up, correct IP assigned, DACL applied

[ ]

3

Invalid credentials → VPN denied

Auth failure, no tunnel, clear error message

[ ]

4

MFA timeout/cancel → VPN denied

Graceful failure, user can retry

[ ]

5

User not in SG-VPN-Users → denied by Entra CA policy

Blocked at Entra, clear error

[ ]

6

Conditional Access — non-compliant device → denied

CA blocks auth, user sees compliance message

[ ]

7

ISE posture check (if applicable) → limited then full access

Initial limited DACL, posture pass → full DACL via CoA

[ ]

8

Session timeout → re-authentication via SAML

Seamless re-auth or prompted login

[ ]

9

ASA show vpn-sessiondb anyconnect shows correct attributes

Username, group-policy, SAML attributes visible

[ ]

10

ISE live logs show SAML auth events

SAML identity source, correct authz rule hit

[ ]

11

Rollback: switch tunnel-group back to RADIUS

Okta RADIUS auth works immediately (no SAML)

[ ]

Validation Commands

ASA
show vpn-sessiondb anyconnect
show webvpn saml idp
show saml metadata <tunnel-group-name>
debug webvpn saml 255
ISE
! Live Logs — filter by username or NAS-IP
! Operations > RADIUS > Live Logs
! Check: Identity Source, Authorization Rule, Result
AnyConnect Client
! DART bundle for troubleshooting
! %PROGRAMDATA%\Cisco\Cisco AnyConnect Secure Mobility Client\Logs\