cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1075
Views
0
Helpful
2
Replies

FTD and User identity based rules _CDA

NDP
Level 1
Level 1

Need advise /guidance on CDA integration with FTD

 

We have FTD devices as Internet perimeter Firewalls. As the enterprise network is for Service based company, We expect ramp-up and ramp-down of many projects every week and month. due to this dynamic change in head count, there is always requirement to edit firewall rules or create new rules to meet businness requirements. 

 

LAN network is not 802.1x based. We would like to go with user identity firewall rules instead of IP based rules on these NGFS -FTD boxes. so, We can add DLs as source group in Firewall rules and DL can be managed by project teams only.

 

was going through couple of Cisco URLs and understood that Context Directory agent can fetch data from MS Active directory and help FTD to perform IP-User mapping. 

 

could someone advise me if this was successful integration. if Yes, I need help on pricing as well for CDA. so, We can explore if that reduces OPEX as well.

 

thank you in advance

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

There are two parts to the answer to your question.

1. You need to pull groups and group membership from AD. You do that via direct integration from Firepower Management Center.

2. You need to map IP addresses to users. We do that via an identity source. External identity sources include:

CDA is an old and no longer supported product. It is/was free.

Cisco Firepower User Agent would be a current alternative. It is also free.

The best and most supportable alternative would be to use ISE PIC (Passive Identity Collector). It is a licensed and paid product. Part number R-ISE-PIC-VM-K9= is the VM<-based version and costs US$1250 (list price, not including maintenance).

View solution in original post

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

There are two parts to the answer to your question.

1. You need to pull groups and group membership from AD. You do that via direct integration from Firepower Management Center.

2. You need to map IP addresses to users. We do that via an identity source. External identity sources include:

CDA is an old and no longer supported product. It is/was free.

Cisco Firepower User Agent would be a current alternative. It is also free.

The best and most supportable alternative would be to use ISE PIC (Passive Identity Collector). It is a licensed and paid product. Part number R-ISE-PIC-VM-K9= is the VM<-based version and costs US$1250 (list price, not including maintenance).

Thank you for your input.
I will check with my vendor for required quote and see if that reduces our OPEX.
Review Cisco Networking for a $25 gift card