Re: FW identity without CDA agent

ariescaisip · ‎02-16-2018

All deployment guides i see requires CDA/AD agent, just curious, can I implement FW identity without the CDA agent? Can't the ASA retrieve IP/username mapping directly from the Active Directory?

Ben Walters · ‎02-16-2018

Yes, CDA/AD Agent is required for IDFW.

CDA does all the work to query the domain controllers about logon events, convert the data into something useable and send that data off to the ASA. The ASA lacks the capability of the CDA server for communication with the domain controllers.

If you want to know more about what CDA does check out https://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_oveviw.html

Active Directory Domain Controller Machines

CDA monitors the security event log of the Active Directory domain controllers in order to retrieve information about user logins and deliver this data to the consumer devices.

Upon startup CDA reads a time based window (history) of users that are already logged-in. After CDA is up and running it monitors and retrieves user logins in realtime. Connection is required between CDA and the Active Directory domain controller for retrieving the user login events.

To connect to the Active Directory domain controllers, the CDA uses an Active Directory user.

An Active Directory user used by CDA must have the required permissions in order to connect and monitor the Active Directory domain controllers

The Active directory user used by CDA can be a member of the Domain Admin Group; however this is not mandatory if you have installed the latest CDA patch (any future CDA patches would include this functionality as well).

The connection between CDA and the Active Directory domain controller is also authenticated using MS NTLM protocol. CDA patch 2 supports NTLMv1 and NTLMv2.