If you really need to know, when and where to use "contain" and "=", then you should know about the internal values of the posture credentials sent for each type.
There is a big list of attributes for Cisco:HIP, Cisco:Host and Cisco:PA. For now, let's rule out Cisco:HIP. The following are attributes, that we will mostly tested. Cisco:PA-Version Cisco:PA-Name Cisco:OS-Type Cisco:OS-Version Cisco:Host:HostFQDN Cisco:Host:HotFixes Cisco:Host:ServicePacks You can't memorize all the values. You can find some of the values on the client using the following ways: - Type "winmsd" in Run, you will get the "System Information" Window". - Go to My Computer, right click > Properties. You can find information of Service packs, Computer name, OS type. Cisco:PA-Version will be always be in the format X.X.X.X, so you can use either = or contains Cisco:PA-Name will be always "Cisco Trust Agent", so you can use either = or contains Cisco:OS-Type will be always llike "Windows blah blah", so you can use either = or contains Cisco:OS-Version will be always be in the format X.X.X.X, so you can use either = or contains Cisco:Host:HostFQDN will be a string, so you can use either = or contains Cisco:Host:ServicePacks will be in format "Service Pack X", so you can use either = or contains Cisco:Host:HotFixes. This is tricky, there can be multiple service packets. So better use contains. If you know the exact Hotfixes, then use "=". I have used "=" for Cisco:Host:HotFixes.and it has worked for me. Now let me tell, how I do my NAC configuration. With this way, you can use "=" itself for the attributes as you would be knowing the exact values for each attribute. Go to System Configuration > Logging > Passed > CSV > Enable Log and then select all the types of Cisco:PA, Cisco:HIP and Cisco:Host to be logged Configure Posture Validation Policy with rules having whatever types of Cisco:PA, Cisco:HIP and Cisco:Host. When doing for practice, select all the types that I have mentioned above. If you know, the correct values for the attributes, give them else give some dummy values in format that I have mentioned, For example. if you don't the Hostfix value, then enter Cisco:Host:ServicePacks=KB1234 for example. Configure a NAP policy and associate the PV policy to it. NAP policy should be configured accordingly to the type of NAC implementation. Send traffic from client and trigger NAC. Since you have NAP policy configured, the NAC request will fall in NAP policy and will be logged in the Pass logs irrespective of whether the PV policy has matched or not. If the PV rules didn't match, then you will see the Default Posture Plugin assigned. But, you will see it Pass logs, if NAC request correctly falls in NAP policy. Now just scroll the Pass logs to your left, you will see that the ACS has captured all the values for each type of Attributes that you selected Posture Validation Policy. Remember that, ACS will only capture the values, if you have selected that parameter in the Posture Validation policy. So now, you know the values. Tune the Posture Validation Policy. You can use "=" confidently because you know the exact values. In the mock labs and real lab, I guess you will be given values. If you don't find the policy matching. Just check the logs and you can find the exact value. Folks, NAC is bit complicated. You need to do it multiple times, to gain up confidence level on this feature. Just knowing it from other's input won't help. Please don't mistake me :-) Hope this helps. With regards Kings On Sun, Jul 24, 2011 at 11:11 PM, Ishwinder Cheema <[email protected]>wrote: > In this particular case, here is what I believe would be correct solution: > > Two rules, with 'AND' within a rule and a 'OR' between the rules (because a > host can have only a single OS at that time, hence 'OR' between two rules > and the Service pack has to exist in conjunction with the OS, hence 'AND' > between the rule itself). > > OS type 'contains' Windows XP, Service Pack '=' 3 etc. > > Regards, > Ishwinder > > > On Sun, Jul 24, 2011 at 9:48 PM, Adil Pasha <[email protected]> wrote: > >> Thanks Ishwinder, >> >> So if I have to match Windows XP with Service Pack 4 or Windows 2000 with >> service pack 3, something like that, using "contains" will be the safes >> option since it will cover "=" in it. What is the correct answer and I will >> not get zero in the lab? >> What is the string for Windows XP with service pack 4? >> Any suggestions? >> Thanks in advance. >> >> >> Also, if I have to check the above 2 conditions: >> Should I create 2 separate rules with "AND" inside? >> Or just 1 rules with "AND" inside and "OR" between them? >> >> What is the correct answer for the second question? >> >> >> Best Regards. >> ______________________ >> Adil S Pasha >> iNET SYSTEMS, INC. >> IT Consulting Services - (Client: Morgan Stanley) >> New York, USA. >> Off: 516.742.7532 >> Cell: 516.524.9361 >> [email protected] >> >> On Jul 24, 2011, at 11:55 AM, Ishwinder Cheema wrote: >> >> So if I have to match Windows XP with Service Pack 4 or Windows 2000 with >> service pack 3, something like that, using "contains" will be the safes >> option since it will cover "=" in it. >> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
