08-11-2014 08:29 AM - edited 03-11-2019 09:37 PM
I have a lab set up to test ACL's with AD users/groups.
Current setup:
3 VMware instances on one host machine:
Microsoft Server 2012 with Active Directory and DNS
Cisco Context Directory Agent
Windows 7
This host is connected to the "Server" interface of the firewall and both
DC/DNS = 192.168.1.100
CDA = 192.168.1.200
Windows 7 = Varied (change to test IP Mapping of CDA)
Host = 192.168.1.10
ASA = 192.168.1.1
I have full communication between all devices, firewalls disabled on host machines, and full any/any rules on the firewall to prevent any traffic from being blocked as I troubleshoot this.
The agent is connected up to the domain controller and does correctly map users to IP's as I log in/out.
The ASA has the agent configured and tests just fine when I use the Test button in ASDM.
From the ASA CLI I am able to query AD and pull a list of AD groups and users.
I have ACL's created that use the domain\user as the source with any/any just trying to see if anything will match.
When I go to monitoring>Identity>Users the users that I have in the ACL's appear as inactive.
Any assistance with this would be greatly appreciated. Previously I had this lab set up with the AD Agent and was able to get this to work with on-demand mode but not full-download. Now with CDA I am unable to get either going.
Thanks
08-12-2014 02:45 PM
After tweaking our ACL's we were able to get this to pull the IP to user mapping when in on-demand mode.
Full download mode still does not retrieve the mapping.
12-05-2014 12:35 PM
What tweaking did you do to get this working?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide