Solved: ISE - Passive Identity Connector

dennis.lamtszkit · ‎04-20-2017

Context Directory Agent (CDA) only supports Windows 2008 and Windows 2012 and it doesn't support Windows 2016.

Our vendor said ISE - PIC (Passive Identity Connector) can be used to replace CDA and ISE -PIC supports Windows 2016

Does anybody try to use ISE-PIC to replace CDA? How can we do that?

Many Thanks!

Dennis Lam

Timothy Abbott · ‎04-21-2017

Hi,

ISE-PIC can't replace CDA currently because it is missing the CDA RADIUS interface. Products like WSA and ASA still rely on that functionality for identity.

Regards,

-Tim

View solution in original post

paul · ‎04-21-2017

ISE PIC or a Full ISE install with Passive ID enabled can do the same job as CDA, i.e. scan domain controller logs to gather user to IP mappings. ISE's passive ID has other supported inputs as well to get user to IP mappings.

I haven't worked with CDA much, but the real question is do the devices you are relying on CDA to provide user to IP mappings support pxGrid integration with ISE. I have only worked with Passive ID to replace the Firepower User Agent. In this case, FMC joins the pxGrid and receives user to IP information from ISE via the pxGrid.

gbekmezi-DD · ‎04-21-2017

I think the most glaring product that still requires CDA for identity is the ASA. The ASA uses radius to communicate with CDA.

Timothy Abbott · ‎04-21-2017

Hi,

ISE-PIC can't replace CDA currently because it is missing the CDA RADIUS interface. Products like WSA and ASA still rely on that functionality for identity.

Regards,

-Tim

Maksim Tikunov · ‎03-12-2023

Hi,

Here is a solution to integrate new ISE versions with CDA: https://www.isecdabroker.com
It really works!