When you don't have cta, then posturing won't happen. You need a bypass. With NAC L2 802.1x, you need to use MAB (MAC authentication bypass). The MAC address is associated to a group. If the CTA with 802.1x supplicated is not present after sometime the switch will send the mac address as username/password
With NAC L2 IP or L3 IP, you need to configure for eou allow clientless with clientless username/password for PC's without CTA. You need to configure username/password in the ACS. There is difference in the AV sent to ACS with CTA and non-CTA 1) 802.1x with CTA - no call check (10) 2) 802.1x without CTA - call check (10) 3) NAC L2 or L3 IP with CTA - no call check (10) + ip_admission (VSA) ---> CTA creddentials are sent and posturing happens 4NAC L2 or L3 IP without CTA - call check (10) + ip_admission (VSA) ----> eou clientless username/pasword is sent and authenticated ACS global Usually you create NAC NAP will have these request criteria CTA is the one that takes all the PC info that Service packs, OS version, OS type etc. With regards Kings On Sat, Apr 10, 2010 at 9:09 PM, Paul Alexander <[email protected]> wrote: > Thanks Brandon, > > I'm a little confused by that though. I see two places where you can set > Cisco:PA and Cisco:Host. > > One of them is in the condition sets, and the other is when you are setting > the posture token for your condition set. > > So with that in mind, If I want to match Cisco:PA conditions such as > Kernel, or OS type....do I need to be using CTA? > > Just to clarify also, if I dont have CTA, when I set the 'Posture Token' > for the condition set do I have to use Cisco:Host for it to work? > > > Or am I just completely wrong? ;) > > > > > > > On Sat, Apr 10, 2010 at 4:24 PM, Brandon Carroll <[email protected]>wrote: > >> If you are using CTA you would use PA. Host would match things like >> Service Packs and Hot Fixes. >> >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> On Apr 10, 2010, at 8:02 AM, Paul Alexander wrote: >> >> > Hi all, >> > >> > I'm trying to figure out when you would set a posture token of 'PA' or >> 'Host'. >> > >> > The documentation isn't very clear, but as far as I can tell it just >> depends if your using CTA or not. Is that right? >> > >> > regards, >> > >> > Paul. >> > >> > _______________________________________________ >> > For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
