Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
10
Helpful
4
Replies

ASA5506 with FirePower and AD users IDentification

ralf_kaminski
Level 1
Level 1

‎01-19-2018 07:19 AM - edited ‎02-21-2020 10:43 AM

Hello,

 

Is it possible to restrict/control access to the Internet/services using AD functionality (Windows Svr2012 R2) ?

I saw some setups but only with FirePower virtual appliance as AD users-ID controller- which need additional license and VM-machine + AD agent.

 

Can I do it with fully licensed ASA5506-X (IPS+URL+Anti malware) and WS2012 only -like with PaloAlto (no agents only additional AD user to query AD database)?

 

THA for links/ pointers

 

Rav

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-19-2018 08:10 AM

The Cisco AD Agent and Context Directory Agent (CDA) are both no longer developed.

 

You can still use CDA however and use usernames and/or groups in your ACLs to avail yourself of the "Identity Firewall" feature. CDA is free but does need to be installed on all AD servers in your domain that process logins.

 

The ASA's ability to query AD dirtectly is limited to AAA services (for either ASA administration or VPN uses) and cannot be used with ACLs.

0 Helpful

ralf_kaminski
Level 1
Level 1
In response to Marvin Rhoads

‎01-22-2018 02:11 AM

thanks for the reply,

 

SO all I need is to install agent on AD server and configure it to communicate with ASA-box to take control over the users/groups traffic passing through the firewall and no VM is needed ?

Any pdfs/links to setup this ? I saw only "big setups" for bunch of ASAs and separe VM to control them.

 

Rgds

 

Rav

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ralf_kaminski

‎01-23-2018 05:30 AM

Sorry - I misspoke earlier. 

 

The old AD Agent installed directly on the servers. CDA is its own standalone VM. It is very lightweight though and the couple of times I set it up for customers it worked fine. I wouldn't encourage either of those since they may have issues with the more recent server OS like Server 2016+.

 

Cisco positions ISE as the strategic solution. They have a special license called ISE PIC (Passive Identity Collector) that can be purchased and is currently supported and actively developed. It's actually the same ISE server as a full installation but license-limited to do only the identity bits. It's priced at about US$1250 for up to 3000 user sessions.

 

Here a FAQ for ISE PIC:

 

https://communities.cisco.com/docs/DOC-70144

ralf_kaminski
Level 1
Level 1
In response to Marvin Rhoads

‎03-05-2018 06:27 AM

Hello,

 

Thank you for your answer.

This means that ASA5506-X is definately not NGFW out of the box like  its competitors because you have to BUY, install and setup another software.

Using PaloAlto or even Juniper it is a really simple -with CISCO you have to spend another couple of thousand of $ - that's at least pity.
:^(((

 

Customers Also Viewed These Support Documents