We have installed two two ASA service modules into our 6509 switches. They are both working fine but we are now looking into the option of using the Cisco Context Directory Agent for identity firewalling.
So far we have a VM running the Cisco ISO downloaded from the site and that connects to all our AD servers. The ASA have been registered to the CDA server and can connect to the AD servers themselves to pull down usernames and groups. I have tested that it all works with different usernames and groups and all works well.
The problem we have is that we run a number of terminal services servers that users can connect to.
I have rules on the ASA that user A can connect to server X from the terminal service server but user B cannot connect to server X.
When user A logs into the TS server he can connect to server X but if user B also logs to the TS server they can also get to server X even though there is a rule to say they cannot.
Now I understand the reason why this happens as it is because of the IP address that the user is mapped to. We have Palo Alto firewalls that uses a pluggin installed on the TS server which allows multiple users connected at the same time which would allow the rules above to work as they should.
The question is...Is there a pluggin available for the ASA's that perform a similar function.
Any help is appreciated