ā04-20-2017 08:41 PM
Context Directory Agent (CDA) only supports Windows 2008 and Windows 2012 and it doesn't support Windows 2016.
Our vendor said ISE - PIC (Passive Identity Connector) can be used to replace CDA and ISE -PIC supports Windows 2016
Does anybody try to use ISE-PIC to replace CDA? How can we do that?
Many Thanks!
Dennis Lam
Solved! Go to Solution.
ā04-21-2017 09:00 AM
Hi,
ISE-PIC can't replace CDA currently because it is missing the CDA RADIUS interface. Products like WSA and ASA still rely on that functionality for identity.
Regards,
-Tim
ā04-21-2017 07:09 AM
ISE PIC or a Full ISE install with Passive ID enabled can do the same job as CDA, i.e. scan domain controller logs to gather user to IP mappings. ISE's passive ID has other supported inputs as well to get user to IP mappings.
I haven't worked with CDA much, but the real question is do the devices you are relying on CDA to provide user to IP mappings support pxGrid integration with ISE. I have only worked with Passive ID to replace the Firepower User Agent. In this case, FMC joins the pxGrid and receives user to IP information from ISE via the pxGrid.
ā04-21-2017 08:14 AM
I think the most glaring product that still requires CDA for identity is the ASA. The ASA uses radius to communicate with CDA.
ā04-21-2017 09:00 AM
Hi,
ISE-PIC can't replace CDA currently because it is missing the CDA RADIUS interface. Products like WSA and ASA still rely on that functionality for identity.
Regards,
-Tim
ā03-12-2023 11:19 AM
Hi,
Here is a solution to integrate new ISE versions with CDA: https://www.isecdabroker.com
It really works!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide