01-19-2018 07:19 AM - edited 02-21-2020 10:43 AM
Hello,
Is it possible to restrict/control access to the Internet/services using AD functionality (Windows Svr2012 R2) ?
I saw some setups but only with FirePower virtual appliance as AD users-ID controller- which need additional license and VM-machine + AD agent.
Can I do it with fully licensed ASA5506-X (IPS+URL+Anti malware) and WS2012 only -like with PaloAlto (no agents only additional AD user to query AD database)?
THA for links/ pointers
Rav
01-19-2018 08:10 AM
The Cisco AD Agent and Context Directory Agent (CDA) are both no longer developed.
You can still use CDA however and use usernames and/or groups in your ACLs to avail yourself of the "Identity Firewall" feature. CDA is free but does need to be installed on all AD servers in your domain that process logins.
The ASA's ability to query AD dirtectly is limited to AAA services (for either ASA administration or VPN uses) and cannot be used with ACLs.
01-22-2018 02:11 AM
thanks for the reply,
SO all I need is to install agent on AD server and configure it to communicate with ASA-box to take control over the users/groups traffic passing through the firewall and no VM is needed ?
Any pdfs/links to setup this ? I saw only "big setups" for bunch of ASAs and separe VM to control them.
Rgds
Rav
01-23-2018 05:30 AM
Sorry - I misspoke earlier.
The old AD Agent installed directly on the servers. CDA is its own standalone VM. It is very lightweight though and the couple of times I set it up for customers it worked fine. I wouldn't encourage either of those since they may have issues with the more recent server OS like Server 2016+.
Cisco positions ISE as the strategic solution. They have a special license called ISE PIC (Passive Identity Collector) that can be purchased and is currently supported and actively developed. It's actually the same ISE server as a full installation but license-limited to do only the identity bits. It's priced at about US$1250 for up to 3000 user sessions.
Here a FAQ for ISE PIC:
03-05-2018 06:27 AM
Hello,
Thank you for your answer.
This means that ASA5506-X is definately not NGFW out of the box like its competitors because you have to BUY, install and setup another software.
Using PaloAlto or even Juniper it is a really simple -with CISCO you have to spend another couple of thousand of $ - that's at least pity.
:^(((
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide