Hi Piotr Actually my query was a different one. When we add a Posture Validation Policy, we define the condition sets and then we select the Posture token and Notification string for that policy as following
Posture Token: Cisco:PA/Cisco:Host/Cisco:HIP-Healthy/Quarantine/Transition/Checkup/Infected/Unknown Notification String: http://X.X.X.X For the Posture Token, we can select either Cisco:PA or Cisco:Host or Cisco:HIP. Why do we have three types of Posture Tokens? Just having one simple Posture Token without the classification of PA or Host or HIP, should be suffice right? I would like to know the significance of having three types of token. Please comment *Notification String* The notification string can be added directly in the Posture Validation Policy and in the NAP policy against each Posture Validation Policy. When I add a Notification string in the Posture Validation policy, I have never seen the string displayed in the popup. Instead, I always add it in the NAP Policy > Posture Validation > Action, that works for me. Any thoughts? With regards Kings On Tue, Jul 19, 2011 at 6:54 PM, Piotr Matusiak <[email protected]> wrote: > Kings, > > This is for vendor plug-in notification. It works well with PA and you can > lab it up. When you choose Cisco:PA configure notification string like > http://x.x.x.x and you'll see that a web browser will pop up upon users' > authorization. > You may have other vendors plug-ins installed and then, you may notify them > to perform some action. > > It does not affect APT at all. You can check whatever you like there (PA > name), only posture token is important. > As you already mentioned, all APTs are checked and the most restrictive > becomes SPT for that host. > > Hope it's clear now. > > Regards, > Piotr > > > > > 2011/7/19 Kingsley Charles <[email protected]> > >> Hi Piotr >> >> Can you please let me know your comment on this query. >> >> >> With regards >> Kings >> >> >> ---------- Forwarded message ---------- >> From: Kingsley Charles <[email protected]> >> Date: Mon, Jul 18, 2011 at 3:45 PM >> Subject: Re: [OSL | CCIE_Security] NAC Posture tokens >> To: Bruno <[email protected]> >> Cc: [email protected] >> >> >> Even I am not getting the answer for this. It's not easy to find docs for >> legacy NAC. >> >> Let's hear it from people on the board too. >> >> So the question is, why do we have three types of tokens Cisco:PA, >> Cisco:Host and Cisco:HIP when configuring PV policy i.e., why is the token >> classified as HIP, Host and PV? >> >> With regards >> Kings >> >> >> On Sat, Jul 16, 2011 at 11:07 PM, Bruno <[email protected]> wrote: >> >>> I could be wrong and probably I am wrong but here what I did >>> Without selection HOST, even if I say to ACS to validate some specific >>> HOTFIX and some sort of internal windows stuffs, it didn't work. When I >>> added HOST as required and changed the type of from PA to HOST, it looked >>> like better and I could catch. >>> >>> But you're question has been around my mind for a big while >>> >>> On Sat, Jul 16, 2011 at 2:21 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> NAC Experts, I am waiting for your comments. >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Fri, Jul 15, 2011 at 12:58 PM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>>> Hi all >>>>> >>>>> A NAP policy can have more than one Posture Validation. If there are >>>>> more than one PV matching, the token which is most restrictive is >>>>> selected. >>>>> For example, if tokens corresponding to the matching PVs are >>>>> Healthy and Quarantine, then ACS select Quarantine and sends the >>>>> corresponding authorization parameters like downloadable ACL, vlan and >>>>> RAC >>>>> information to the NAD. >>>>> >>>>> Hope my understanding is correct. If not, please correct. >>>>> >>>>> Said with that, why do we have three types of tokens Cisco:PA, >>>>> Cisco:Host and Cisco:HIP when configuring PV policy.? >>>>> >>>>> There may be different elements of Cisco:PA, Cisco:HIP and Cisco:Host >>>>> in the policy but the corresponding token can be simply Healthy, >>>>> Quarantine >>>>> or Transition. >>>>> >>>>> But when we want to select a token for PV, we are forced to select >>>>> Cisco:PA, Cisco:Host and Cisco:HIP? What is the significance of selecting >>>>> it. >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
