Has anyone seen a roadmap or ETA for a CDA patch to support Windows Server 2016 Domain Controller connections? It appears there is a version check since the WMI namespace it is utilizing hasn't changed from server 2012R2. Its just checking the security event log, I don't understand why there is an OS version constraint to begin with I mean from their doc:
CDA supports the following Active Directory versions:
Other than Windows 2000, they support them all. If someone on the Dev team insisted on putting one in, then test and release an update while the OS has been in Beta. I'll take back everything bad I have said this past week if I just missed the release AND I will also admit I suck.
I would be surprised to see any update of CDA's official support listing since that would involve validation testing and support.
Cisco is putting their resources into the more strategic platforms for identity such as ISE. We expect enhancements to ISE's passive identity feature set going forward and even an entry level licensing that's designed to do only that.
I haven't heard anything official, but from back-channel sources I've heard that CDA is dead. Cisco has not done their customer base the courtesy of announcing this nor have they done the courtesy of informing their customer base of the supported way forward, which appears to be ISE. People with inside knowledge and people who spend their time pouring over every Cisco product announcement are probably all over this, but the rest of us are not.
My impression here is that Cisco is pulling a bait-and-switch move: offering a very nice feature and then turning around and requiring you to purchase another product to make it work. Hopefully I'm very, very wrong about this. If I'm not, then this is the sort of business practice that makes us look much more closely at other vendors during our next refresh cycle - we would only stick with Cisco ASA if we had no reasonable alternative.
ISE-PIC (Identity Services Engine - Passive Identity Connector) has been available for several months now.
It is the recommended and supported platform going forward. It is not free, but the list price is just US$1250 plus US$200 per year for full TAC support.
If you have a full ISE deployment, the features are all included in there as well.
My understanding is that ISE-PIC is the "budget" way forward for WSA and ATA identity firewall, but that it's not ready to replace CDA yet. The situation is a mess for the time being, because CDA is in an appallingly deep state of neglect. We're not impressed at all by the way Cisco is handling this.
Allegedly ISE-PIC will resolve this issue eventually, and the street price of a pair (for redundancy) isn't going to break many budgets. But the amount of time between the release of Server 2016 and "eventually" is completely ridiculous, and the necessity of adding an additional paid component to maintain existing functionality is sketchy.
This is arguable worse than the situation with Symantec adding support for Windows 2012 to BackupExec, and comparisons with Symantec are seldom flattering.
We have serious problems with our Identity Firewall feature on ASA.
We set up our new Windows 2016 domain controllers and added them to the domain.
As a result, users' authentications have also passed through these new Domain controllers, and the CDAs have not noticed the logs from the new DCs, which caused not working firewall rules. So we had to power down our new DCs.
I tried to integrate the 2016 DC into the CDA, but it’s not supported and I only got error messages.
We already escalated this to Cisco, but they don‘t have a solution yet.
SGT is a nice additional feature, but it is not an substitute for us, because it doesn‘t have feature parity to identity firewall.
Furthermore ISE-PIC is using pxgrid which is not supported by ASA.
So we have actually a scenario were we even cannot work parallel with the old 2008 domain controllers, which makes migration to Win 2016 impossible.
Wow, this was unexpected. Tested and surprisingly it works with Windows Server 2016. Just read the documentation.
This solved an issue we had with IPv6 with CDA using ISE's syslogs as the identity provider, as the syslogs with IPv6 addresses were not parsed.
CDA however has its shortcomings
Other than that the Windows Server 2016 support was welcomed considering there is no alternative from Cisco for a client using ASA and recent Windows Server versions.