Solved: Re: CDA AND ISE PIC

muath salman · ‎10-23-2017

Hi,

Regarding the identity based FW (ASA), I have a customer who is in great need for either CDA to support AD-2016 or use ISE-PIC to support the radius connector/integraton with ASA. Please can you share when these features will be available.

Timothy Abbott · ‎10-24-2017

Hi,

We cannot discuss roadmap in this forum. You will need to reach out to your product management team to discuss when the CDA RADIUS interface will become available in ISE-PIC.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎10-24-2017

Hi,

We cannot discuss roadmap in this forum. You will need to reach out to your product management team to discuss when the CDA RADIUS interface will become available in ISE-PIC.

Regards,

-Tim

alexeradze · ‎11-20-2017

Hello Timothy

thanks for your reply.

I was reading on ISE-PIC and I saw - "ISE PIC is a lightweight ISE version which focuses on Passive ID features."

Would you know if the ISE version 2.0.0.306 (ISE-VM-K9) ADE-OS Version 2.3.0.17 should be able to replace the CDA? Currently our ASA 5555 has the CDA as the Ad-agent. But when I replace the CDA with the ISE on the ASA, we I am getting this message:

ASA# test aaa-server ad-agent ISE-SERVER host x.x.x.x

INFO: Attempting Ad-agent test to IP address <x.x.x.x> (timeout: 12 seconds)

ERROR: Ad-agent Server not responding: No response from server

ISE and ASA can ping each other ok. Also mapping on ISE is working OK (I see the logs)

So, should this be working on ISE (not on ISE-PIC)?

thank you

Timothy Abbott · ‎11-20-2017

Hi Alex,

ISE-PIC was introduced as part of ISE version 2.2. You will need a minimum of ISE 2.2 to use the enhanced PassiveID features but remember, ISE 2.2 or 2.3 does not currently have the CDA RADIUS interface the ASA needs to get identity information.

Regards,

-Tim

alexeradze · ‎11-20-2017

Thank you Timothy

ffischer · ‎09-18-2018

I have a client who would need this feature as well ...

Any news about this ?

Does ISE 2.4 have the RADIUS interface from CDA to provide mappings ?

Or has pxGrid found its way to the ASA feature list ?

BR,

Frank

Jason Kunst · ‎09-18-2018

I checked with our SMEs on this and its no and no. We are working on adding a RADIUS interface to ISE passive ID but cannot discuss roadmap feature on a public forum. please reach out through our product management team through sales channel

ffischer · ‎09-18-2018

Thanks, Jason... !

Maksim Tikunov · ‎03-12-2023

Hi,

Here is a solution to integrate new ISE versions with CDA: https://www.isecdabroker.com
It really works!

mbisko · ‎03-12-2023

As CDA protocol was removed from ISE roadmap, we have also built app, that allows ASA to read identities from ISE. It is based on pxGrid v2 and reverse engineered CDA protocol. Thus no need for Cisco CDA product. Works great in full download mode.

Available for others as product.

Martin

fernandobvds · ‎07-27-2023

Hello, Mbisko! Dou you have some procedure or link to share witch us how to solve this problem? Here I have Cisco ASA witch CDA and our ADs can't be update.

mbisko · ‎07-27-2023

Hello,

you need Cisco ISE with pxGrid enabled and properly licensed to share identites. You also need at least one Linux server (rather two for HA) with dotNet support installed on. Our service will maybe run on Windows but it was probably never tested.

The service connects to the pxGrid and receives information about service points on the Cisco ISE to reach two services for full identity database update and incremental identity updates. The service needs username/password authentication enabled for pxGrid and does not support certificate based authentication.

These two sources of information are translated into ASA language. What our service does not purpously support is identity update which is generated by the ASA. It drops all these updates. If you need this functiopnality we would need some time to code and test. The scenario we built this service for, needs these ASA sourced identity updates blocked. We support IPv6 updates and our code fixes several Cisco ISE issues where some identity updates are malformed time to time. We support only "full download mode", not "on demand mode". (https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/aaa-idfw.html)

If you are interested, I can provide you with the code and demo license and help you configure it.

Some information (probably not very usefull for you:-)) can be found here:

https://www.alefnula.com/identity-bridge.c-591.html

BR, Martin

fernandobvds · ‎07-27-2023

Do You are a company thar implement this solution?

mbisko · ‎07-28-2023

Yes, of course. It is running for more than 18 months at one of the biggest banks in the Czech Republic without any issue. It serves identities to two VPN gateways and user firewall for LAN and WiFi.

Martin