Solved: CDA Alternative

harrison.gareth · ‎07-17-2017

Hi all

I was planning to configure the Cisco Context Directory Agent (CDA) so we can use AD Groups in the ASA Firewall access rules, but our Active Directory servers will be upgraded to 2016 this year and CDA does not support this OS Version. It doesn't look like Cisco are planning to add support for 2016 so what are the alternatives?

I'm running Cisco ISE ver 2.1 with a Base License . Can this be configured to collect the relevant user to IP mapping, and used in place of an AD Server? I'm pretty new to the ISE world so help would be greatly appreciated

thanks

Marvin Rhoads · ‎07-18-2017

Yes you can use ISE for this. In fact Cisco has productized that subset of features in "ISE-PIC" or Passive Identity Connector. It is also available with full ISE (base license feature) since 2.1.

The PIC feature uses WMI to query your Windows server and is described in more detail here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_00.html?referring_site=RE&pos=1&page=http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01011.html

View solution in original post

Ken Stieers · ‎05-10-2019

They released an update to CDA to support 2016 if you're still using it...

View solution in original post

Marvin Rhoads · ‎07-18-2017

Yes you can use ISE for this. In fact Cisco has productized that subset of features in "ISE-PIC" or Passive Identity Connector. It is also available with full ISE (base license feature) since 2.1.

The PIC feature uses WMI to query your Windows server and is described in more detail here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_00.html?referring_site=RE&pos=1&page=http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01011.html

harrison.gareth · ‎07-18-2017

Hi Marvin

When i try to add an AD Controller under PassiveID the supported OS versions does not include Server 2016 so it looks like i'll need to upgrade to 2.2 first

Thanks for your help

alexeradze · ‎01-11-2022

Hello

We are using ISE 2.7 and still have CDA for one specific AD group. thia CDA is configured as an agent on one of the ASA 5555's.

we are trying to get rid of the CDA and I was thinking to use ISE's passive ID instead but Cisco told me I need firepower (FMC) for that.

Do i really need FMC to replace CDA? can I do it on ISE only without firepower?

Marcelo Morais · ‎01-11-2022

Hi @alexeradze ,

please take a look at the EoS & EoL Announcement for the CDA.

"...

Product Migration Options

While there is no direct migration path from CDA to another identity provider for the ASA platform, Cisco Firepower Management Center (FMC) utilizes Cisco Identity Services Engine (ISE) and/or ISE-PIC (Passive Identity Connector) to provide user identity information via Cisco Platform Exchange Grid (PxGrid). Customers who rely on user-based information for firewall policies can migrate from ASA to Firepower and utilize that integration for user-based firewall policy enforcement across the entire Cisco security product portfolio.

..."

Hope this helps !!!

alexeradze · ‎01-11-2022

Hi Marcelo

that is the whole idea not to use firepower.

the existing setup is using windows AD, an ASA and the CDA.

i am looking for a solution to replace cda with ISE which we are already using for VPN and more. So it will be windows AD, the same ASA and ISE instead of CDA

Ken Stieers · ‎05-10-2019

They released an update to CDA to support 2016 if you're still using it...

Maksim Tikunov · ‎03-12-2023

Hi,

Here is a solution to integrate new ISE versions with CDA: https://www.isecdabroker.com
It really works!