I've just been looking through the Volume I NAC scenario and for L2-802.1X and it creates three validation policies for posture assessment of the XP machine.
The first one checks for the correct version of Trust agent which is a Cisco:PA value. So the posture token assigned is Cisco:PA:Healthy else its Cisco:PA:Quarantine The second one checks for service pack (Cisco:Host value), and if that passes its assigned Cisco:Host:Healthy, else its assigned Cisco:Host:Quarantine Third is for the OS which is similar to the first. Although the solution doesn't say why, it makes a point of saying specifically which one you should be selecting for the token (Cisco:PA or Cisco:Host). The only conclusion that I can draw from this and the NAC VolI book is that if you only assess Cisco:Host values then you need to assign a Cisco:Host token. Whereas if you evaluate both Cisco:Host and Cisco:PA values then it doesn't matter which one you select. On Sat, Apr 10, 2010 at 7:21 PM, Brandon Carroll <[email protected]>wrote: > Right in an "and" condition they all need to match to assign the token. I > can't think of a reason off the top of my head for choosing one over the > other so I'd have to lab it up. > > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: <[email protected]>[email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: <http://www.ipexpert.com/chat> > www.ipexpert.com/chat > eFax: +1.810.454.0130 > > ::Message Sent from iPhone:: > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com. > > On Apr 10, 2010, at 10:52 AM, Paul Alexander <[email protected]> wrote: > > I think were talking about something different. > > You mention that the difference is in the values you match on. That's when > you create the actual conditions (PA:OS, Host:Hotfixes, Host:Kernel etc). > > After that you assign a posture token to the condition set.....the option > is Cisco:Host or Cisco:PA (healthy, quarantine etc etc) > > If you create an AND logic condition that includes Cisco:PA and Cisco:Host > match statement - they all still need to match before it can assign a token > right? So when choosing the type of token to assign, why would you assign a > Cisco:Host token over a Cisco:PA token? > > Sorry for battering this to death, but I'm not quite getting it. > > Regards, > > Paul > > > > > > > > > On Sat, Apr 10, 2010 at 6:24 PM, Brandon Carroll < <[email protected]> > [email protected]> wrote: > >> The difference is in the values you are matching on. >> >> >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: <[email protected]> <[email protected]> >> [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: >> <http://www.ipexpert.com/chat><http://www.ipexpert.com/chat> >> www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> <http://www.ipexpert.com/communities>www.ipexpert.com/communities and our >> public website at <http://www.ipexpert.com> <http://www.ipexpert.com> >> www.ipexpert.com >> >> On Apr 10, 2010, at 10:18 AM, Paul Alexander < <[email protected]> >> [email protected]> wrote: >> >> Okay, I think I get some of that. Here's the example i'm confused by: >> >> *Condition 1* >> Cisco:PA:OS-Type contains Windows 2000 >> AND >> Cisco:Host:Hotfixes=KB14478 >> >> Posture Token= Cisco:Host:Healthy >> >> *Condition 2* >> Default >> >> Posture Token Cisco:Host:Quarantine >> >> >> >> Now in this case, what is the difference in me using Cisco:Host instead of >> Cisco:PA for the posture tokens (healthy and quarantine)?? >> >> >> Thanks for all your help mate, its appreciated. >> >> >> Paul. >> >> >> >> On Sat, Apr 10, 2010 at 5:27 PM, Brandon Carroll >> <<[email protected]><[email protected]> >> [email protected]> wrote: >> >>> I understand. It can be frustrating. >>> >>> So basically yes you need the CTA to get the posture information back to >>> ACS. Take a read of this: >>> <http://www.cisco.com/en/US/docs/security/cta/admin_guide/ctaPlugn.html#wp1043483><http://www.cisco.com/en/US/docs/security/cta/admin_guide/ctaPlugn.html#wp1043483> >>> http://www.cisco.com/en/US/docs/security/cta/admin_guide/ctaPlugn.html#wp1043483 >>> and if it's still giving you a hard time let me know. >>> >>> Basically you have application posture tokens that can be different. so- >>> Cisco:Host values can posture to healthy and Cisco:PA can posture to >>> Quarantine. Then of the two different application posture tokens ACS takes >>> the lowest value, in this case Quarantine and assigns that as the System >>> Posture Token. Here is another way to look at it. >>> >>> Lets say you want to see the following: >>> >>> Cisco:Host:HotFixes=KB65643 >>> and that equals Healthy else assign Quarantine as the Application Posture >>> Token. >>> >>> and >>> >>> Cisco:PA:OS-Type=Windows XP Professional >>> and that equals Healthy lse assign Quarantine as the Application Posture >>> Token. >>> >>> If both items are true the System Posture Token would be Healthy. >>> >>> If only 1 is true the other will assign the Application Posture Token of >>> Quarantine and ACS looks at both, picks the lowest and assigns the System >>> Posture Token to Quarantine. >>> >>> HTH >>> >>> >>> >>> Regards, >>> >>> Brandon Carroll - CCIE #23837 >>> Senior Technical Instructor - IPexpert >>> Mailto: <[email protected]> <[email protected]> >>> [email protected] >>> Telephone: +1.810.326.1444 >>> Live Assistance, Please visit: >>> <http://www.ipexpert.com/chat><http://www.ipexpert.com/chat> >>> www.ipexpert.com/chat >>> eFax: +1.810.454.0130 >>> >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> <http://www.ipexpert.com/communities><http://www.ipexpert.com/communities> >>> www.ipexpert.com/communities and our public website at >>> <http://www.ipexpert.com> <http://www.ipexpert.com>www.ipexpert.com >>> >>> >>> >>> On Apr 10, 2010, at 9:07 AM, Paul Alexander wrote: >>> >>> ssign a token of 'Cisco:PA Healthy' as opposed to 'Cisc >>> >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
