cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11312
Views
16
Helpful
17
Replies

CDA Support for Windows Server 2016

lavazzzza
Beginner
Beginner

Has anyone seen a roadmap or ETA for a CDA patch to support Windows Server 2016 Domain Controller connections?  It appears there is a version check since the WMI namespace it is utilizing hasn't changed from server 2012R2.  Its just checking the security event log, I don't understand why there is an OS version constraint to begin with I mean from their doc:

Supported Active Directory Versions

CDA supports the following Active Directory versions:

  • Windows 2003
  • Windows 2003R2
  • Windows 2008
  • Windows 2008 R2
  • Windows 2012
  • Windows 2012 R2

Other than Windows 2000, they support them all.  If someone on the Dev team insisted on putting one in, then test and release an update while the OS has been in Beta.  I'll take back everything bad I have said this past week if I just missed the release AND I will also admit I suck.

17 Replies 17

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

I would be surprised to see any update of CDA's official support listing since that would involve validation testing and support.

Cisco is putting their resources into the more strategic platforms for identity such as ISE. We expect enhancements to ISE's passive identity feature set going forward and even an entry level licensing that's designed to do only that.

aquariibusiness
Beginner
Beginner

i´m facing with this issue too, how did you work arround it?

I haven't heard anything official, but from back-channel sources I've heard that CDA is dead. Cisco has not done their customer base the courtesy of announcing this nor have they done the courtesy of informing their customer base of the supported way forward, which appears to be ISE. People with inside knowledge and people who spend their time pouring over every Cisco product announcement are probably all over this, but the rest of us are not.

My impression here is that Cisco is pulling a bait-and-switch move: offering a very nice feature and then turning around and requiring you to purchase another product to make it work. Hopefully I'm very, very wrong about this. If I'm not, then this is the sort of business practice that makes us look much more closely at other vendors during our next refresh cycle - we would only stick with Cisco ASA if we had no reasonable alternative.

Farhan Mohamed
Cisco Employee
Cisco Employee

Cisco is putting their resources into the more strategic platforms for identity such as ISE. We expect enhancements to ISE's passive identity feature set going forward and even an entry level licensing that's designed to do only that.

ISE-PIC (Identity Services Engine - Passive Identity Connector) has been available for several months now.

http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-738846.html

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_00.html

It is the recommended and supported platform going forward. It is not free, but the list price is just US$1250 plus US$200 per year for full TAC support.

If you have a full ISE deployment, the features are all included in there as well.

We were told ICE-PIC wouldn't currently work with the WSAs and still have the WSA apply policies based on AD groups, at least a month ago now.

My understanding is that ISE-PIC is the "budget" way forward for WSA and ATA identity firewall, but that it's not ready to replace CDA yet.  The situation is a mess for the time being, because CDA is in an appallingly deep state of neglect. We're not impressed at all by the way Cisco is handling this.

Like you Erik, I am not impressed with how Cisco is handeling this. We now have to choose between removing Identity Firewall or staying on Windows AD 2012 indefenitly.

Allegedly ISE-PIC will resolve this issue eventually, and the street price of a pair (for redundancy) isn't going to break many budgets. But the amount of time between the release of Server 2016 and "eventually" is completely ridiculous, and the necessity of adding an additional paid component to maintain existing functionality is sketchy. 

This is arguable worse than the situation with Symantec adding support for Windows 2012 to BackupExec, and comparisons with Symantec are seldom flattering.

Tim Jackson
Beginner
Beginner

Is there an update on the status of this? Are 2016 domain controllers still not supported on the CDA? Workarounds?

No they are still not. It also looks like WSA and CWS are going to go EOL, assumingly with CDA as well.

We have serious problems with our Identity Firewall feature on ASA.
 
We set up our new Windows 2016 domain controllers and added them to the domain.
As a result, users' authentications have also passed through these new Domain controllers, and the CDAs have not noticed the logs from the new DCs, which caused not working firewall rules. So we had to power down our new DCs. 
 
I tried to integrate the 2016 DC into the CDA, but it’s not supported and I only got error messages.

 

We already escalated this to Cisco, but they don‘t have a solution yet. 

SGT is a nice additional feature, but it is not an substitute for us, because it doesn‘t have feature parity to identity firewall. 

Furthermore ISE-PIC is using pxgrid which is not supported by ASA. 

 

So we have actually a scenario were we even cannot work parallel with the old 2008 domain controllers, which makes migration to Win 2016 impossible.

That‘s insane. 

Very late, but finally they added support for Windows 2016 in CDA Patch 6.

https://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/release_notes/cda10_rn.html#pgfId-189162

 

Wow, this was unexpected. Tested and surprisingly it works with Windows Server 2016. Just read the documentation.

This solved an issue we had with IPv6 with CDA using ISE's syslogs as the identity provider, as the syslogs with IPv6 addresses were not parsed.

 

CDA however has its shortcomings

  1. Looking at Windows Event Logs you will get the IP address used when the user logs in. Not a great idea when your clients are dual stack. You will usually only get the IPv6 address. You don't really have control of how the workstation communicates, so if it communicates with a IPv4 only enabled device you don't have identity
  2. IP Filter Exclusions don't work with IPv6. Tried adding a IPv6 subnet but it won't validate the input

 

Other than that the Windows Server 2016 support was welcomed considering there is no alternative from Cisco for a client using ASA and recent Windows Server versions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: