I understand. It can be frustrating. So basically yes you need the CTA to get the posture information back to ACS. Take a read of this: http://www.cisco.com/en/US/docs/security/cta/admin_guide/ctaPlugn.html#wp1043483 and if it's still giving you a hard time let me know.
Basically you have application posture tokens that can be different. so- Cisco:Host values can posture to healthy and Cisco:PA can posture to Quarantine. Then of the two different application posture tokens ACS takes the lowest value, in this case Quarantine and assigns that as the System Posture Token. Here is another way to look at it. Lets say you want to see the following: Cisco:Host:HotFixes=KB65643 and that equals Healthy else assign Quarantine as the Application Posture Token. and Cisco:PA:OS-Type=Windows XP Professional and that equals Healthy lse assign Quarantine as the Application Posture Token. If both items are true the System Posture Token would be Healthy. If only 1 is true the other will assign the Application Posture Token of Quarantine and ACS looks at both, picks the lowest and assigns the System Posture Token to Quarantine. HTH Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Apr 10, 2010, at 9:07 AM, Paul Alexander wrote: > ssign a token of 'Cisco:PA Healthy' as opposed to 'Cisc
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
