Paul,
If You look on the host that has the CTA in the directory "C:\Program Files\Common Files\PostureAgent\Plugins" you will find the DLL and INF files that are set to gather information from the host. There are two plugins the CiscoHostPP.dll and ctapp.dll. Each of these gather different information from the host. Now when the PA is sent in the EAP tunnel back to ACS when ACS is also configured to work with external PA servers then the servers are going to return tokens to ACS for successful or failed Posture Validation. So the Cisco:Host and Cisco:PA are more important when you are working with external servers but typically the tokens should match your condition sets. There are exceptions to that but I would just use it as a rule. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Paul Alexander Sent: Saturday, April 10, 2010 11:02 AM To: [email protected] Subject: [OSL | CCIE_Security] When to set Cisco:Host or Cisco:PA? Hi all, I'm trying to figure out when you would set a posture token of 'PA' or 'Host'. The documentation isn't very clear, but as far as I can tell it just depends if your using CTA or not. Is that right? regards, Paul.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
