topic Re: CDA AND ISE PIC in Network Access Control

CDA AND ISE PIC

muath salman — Fri, 21 Feb 2020 18:36:47 GMT

Hi,

Regarding the identity based FW (ASA), I have a customer who is in great need for either CDA to support AD-2016 or use ISE-PIC to support the radius connector/integraton with ASA. Please can you share when these features will be available.

Re: CDA AND ISE PIC

Timothy Abbott — Tue, 24 Oct 2017 14:47:33 GMT

Hi,

We cannot discuss roadmap in this forum. You will need to reach out to your product management team to discuss when the CDA RADIUS interface will become available in ISE-PIC.

Regards,

-Tim

Re: CDA AND ISE PIC

alexeradze — Mon, 20 Nov 2017 19:41:38 GMT

Hello Timothy

thanks for your reply.

I was reading on ISE-PIC and I saw - "ISE PIC is a lightweight ISE version which focuses on Passive ID features."

Would you know if the ISE version 2.0.0.306 (ISE-VM-K9) ADE-OS Version 2.3.0.17 should be able to replace the CDA? Currently our ASA 5555 has the CDA as the Ad-agent. But when I replace the CDA with the ISE on the ASA, we I am getting this message:

ASA# test aaa-server ad-agent ISE-SERVER host x.x.x.x

INFO: Attempting Ad-agent test to IP address <x.x.x.x> (timeout: 12 seconds)

ERROR: Ad-agent Server not responding: No response from server

ISE and ASA can ping each other ok. Also mapping on ISE is working OK (I see the logs)

So, should this be working on ISE (not on ISE-PIC)?

thank you

Re: CDA AND ISE PIC

Timothy Abbott — Mon, 20 Nov 2017 19:45:30 GMT

Hi Alex,

ISE-PIC was introduced as part of ISE version 2.2. You will need a minimum of ISE 2.2 to use the enhanced PassiveID features but remember, ISE 2.2 or 2.3 does not currently have the CDA RADIUS interface the ASA needs to get identity information.

Regards,

-Tim

Re: CDA AND ISE PIC

alexeradze — Mon, 20 Nov 2017 22:34:29 GMT

Thank you Timothy

Re: CDA AND ISE PIC

ffischer — Tue, 18 Sep 2018 07:10:04 GMT

I have a client who would need this feature as well ...

Any news about this ?

Does ISE 2.4 have the RADIUS interface from CDA to provide mappings ?

Or has pxGrid found its way to the ASA feature list ?

BR,

Frank

Re: CDA AND ISE PIC

Jason Kunst — Tue, 18 Sep 2018 15:07:08 GMT

I checked with our SMEs on this and its no and no. We are working on adding a RADIUS interface to ISE passive ID but cannot discuss roadmap feature on a public forum. please reach out through our product management team through sales channel

Re: CDA AND ISE PIC

ffischer — Tue, 18 Sep 2018 16:02:09 GMT

Thanks, Jason... !

Re: CDA AND ISE PIC

Maksim Tikunov — Sun, 12 Mar 2023 18:16:19 GMT

Hi,

Here is a solution to integrate new ISE versions with CDA: https://www.isecdabroker.com
It really works!

Re: CDA AND ISE PIC

mbisko — Sun, 12 Mar 2023 20:29:03 GMT

As CDA protocol was removed from ISE roadmap, we have also built app, that allows ASA to read identities from ISE. It is based on pxGrid v2 and reverse engineered CDA protocol. Thus no need for Cisco CDA product. Works great in full download mode.

Available for others as product.

Martin

Re: CDA AND ISE PIC

fernandobvds — Thu, 27 Jul 2023 13:38:47 GMT

Hello, Mbisko! Dou you have some procedure or link to share witch us how to solve this problem? Here I have Cisco ASA witch CDA and our ADs can't be update.

Re: CDA AND ISE PIC

mbisko — Thu, 27 Jul 2023 16:56:41 GMT

Hello,

you need Cisco ISE with pxGrid enabled and properly licensed to share identites. You also need at least one Linux server (rather two for HA) with dotNet support installed on. Our service will maybe run on Windows but it was probably never tested.

The service connects to the pxGrid and receives information about service points on the Cisco ISE to reach two services for full identity database update and incremental identity updates. The service needs username/password authentication enabled for pxGrid and does not support certificate based authentication.

These two sources of information are translated into ASA language. What our service does not purpously support is identity update which is generated by the ASA. It drops all these updates. If you need this functiopnality we would need some time to code and test. The scenario we built this service for, needs these ASA sourced identity updates blocked. We support IPv6 updates and our code fixes several Cisco ISE issues where some identity updates are malformed time to time. We support only "full download mode", not "on demand mode". (https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/aaa-idfw.html)

If you are interested, I can provide you with the code and demo license and help you configure it.

Some information (probably not very usefull for you:-)) can be found here:

https://www.alefnula.com/identity-bridge.c-591.html

BR, Martin

Re: CDA AND ISE PIC

fernandobvds — Fri, 28 Jul 2023 00:05:23 GMT

Do You are a company thar implement this solution?

Re: CDA AND ISE PIC

mbisko — Fri, 28 Jul 2023 11:52:16 GMT

Yes, of course. It is running for more than 18 months at one of the biggest banks in the Czech Republic without any issue. It serves identities to two VPN gateways and user firewall for LAN and WiFi.

Martin