topic Re: CDA Alternative in Network Access Control

CDA Alternative

harrison.gareth — Mon, 11 Mar 2019 07:51:53 GMT

Hi all

I was planning to configure the Cisco Context Directory Agent (CDA) so we can use AD Groups in the ASA Firewall access rules, but our Active Directory servers will be upgraded to 2016 this year and CDA does not support this OS Version. It doesn't look like Cisco are planning to add support for 2016 so what are the alternatives?

I'm running Cisco ISE ver 2.1 with a Base License . Can this be configured to collect the relevant user to IP mapping, and used in place of an AD Server? I'm pretty new to the ISE world so help would be greatly appreciated

thanks

Yes you can use ISE for this.

Marvin Rhoads — Tue, 18 Jul 2017 15:34:58 GMT

Yes you can use ISE for this. In fact Cisco has productized that subset of features in "ISE-PIC" or Passive Identity Connector. It is also available with full ISE (base license feature) since 2.1.

The PIC feature uses WMI to query your Windows server and is described in more detail here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_00.html?referring_site=RE&pos=1&page=http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01011.html

Hi Marvin

harrison.gareth — Wed, 19 Jul 2017 01:27:12 GMT

Hi Marvin

When i try to add an AD Controller under PassiveID the supported OS versions does not include Server 2016 so it looks like i'll need to upgrade to 2.2 first

Thanks for your help

Re: CDA Alternative

Ken Stieers — Fri, 10 May 2019 19:20:37 GMT

They released an update to CDA to support 2016 if you're still using it...

Re: Yes you can use ISE for this.

alexeradze — Tue, 11 Jan 2022 21:49:17 GMT

Hello

We are using ISE 2.7 and still have CDA for one specific AD group. thia CDA is configured as an agent on one of the ASA 5555's.

we are trying to get rid of the CDA and I was thinking to use ISE's passive ID instead but Cisco told me I need firepower (FMC) for that.

Do i really need FMC to replace CDA? can I do it on ISE only without firepower?

Re: Yes you can use ISE for this.

Marcelo Morais — Thu, 10 Mar 2022 07:23:29 GMT

Hi @alexeradze ,

please take a look at the EoS & EoL Announcement for the CDA.

"...

Product Migration Options

While there is no direct migration path from CDA to another identity provider for the ASA platform, Cisco Firepower Management Center (FMC) utilizes Cisco Identity Services Engine (ISE) and/or ISE-PIC (Passive Identity Connector) to provide user identity information via Cisco Platform Exchange Grid (PxGrid). Customers who rely on user-based information for firewall policies can migrate from ASA to Firepower and utilize that integration for user-based firewall policy enforcement across the entire Cisco security product portfolio.

..."

Hope this helps !!!

Re: Yes you can use ISE for this.

alexeradze — Wed, 12 Jan 2022 00:03:00 GMT

Hi Marcelo

that is the whole idea not to use firepower.

the existing setup is using windows AD, an ASA and the CDA.

i am looking for a solution to replace cda with ISE which we are already using for VPN and more. So it will be windows AD, the same ASA and ISE instead of CDA

Re: CDA Alternative

Maksim Tikunov — Sun, 12 Mar 2023 18:18:24 GMT

Hi,

Here is a solution to integrate new ISE versions with CDA: https://www.isecdabroker.com
It really works!