Re: CDA with AD on windows server 2016

Madura Malwatte · ‎03-24-2018

I have a WSAv installed in my network and need to get single sign-on working. However reading the CDA installation guide it does not list it supporting Active Directory on Windows Server 2016. Whether or not its supported can I still use the same installation steps for windows server 2016? If not what are the modified steps to get it to work?

I need to get this to work and am scratching my head on how to do it...

David Niemann · ‎03-24-2018

I would think as long as you follow the same directions for the most recentl version of Windows server it should still work. Using the permissions changes on the DCs shouldn't have changed that much. Keep in mind I believe CDA will be going away in favor of ISE-PIC so you may want to look into that. As of yet I don't think the WSA code supports it yet, but I do believe it's coming. I'm still using CDAs for my transparent authentication, but I have ISE enabled for passive authentication and I can see how WSA will be able to get what it wants from that.

Madura Malwatte · ‎03-24-2018

Thanks. I am looking for an immediate solution and as I understand ISE will cost money? The first step (Full Control permissions on the following registry keys) in the guide fails on windows server 2016. Has anyone got this working on 2016? If so can someone please confirm the steps? I don't want to chase this and spend hours going through the steps only to find it doesn't work (by the way I am not that experienced in active directory).

skizhakk · ‎03-20-2019

WSA supports ISE-PIC for passive identity from its 11.7 release.

sadik.sener1 · ‎03-29-2019

Hi,

You actually don't need CDA or ISE at all.

I recently performed an installation to a customer. I started with CDA then had to give up.

If you are using CDA, in some cases you might end up with wrong ip user mappings. (When clients connect to Remote desktops)

: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCui66331/?reffering_site=dumpcr

Just join the WSA to domain. Use the method attached. (If you are using AsyncOS version greater than 10.5.1)

Its works just fine.

You can even use Kerberos with this method which is more secure and faster.

Sadik

ermalb · ‎05-02-2019

Patch 6 adds support for Win. Server 2016, as per the below link.

https://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/release_notes/cda10_rn.html#pgfId-189162

dkorell · ‎08-27-2020

I came across this after upgrading our domain controllers from 2008 R2 to 2019 and found that CDA (and ISE PIC) sees the 2019 servers as 2016 so patch 6 is working.

keithsauer507 · ‎09-16-2020

Yes patch 6 does allow CDA to work. There are exceptions/filter rules you can add in CDA to correct things like service accounts being mapped to IP's and whatnot. It does seem like development is done and everything will require ISE in the future. Because of the costs associated, we are now opening up our migration plans to other vendors. If Cisco will require us to spend money, we have to spend money, so might as well look at Palo Alto and Fortigate. We are looking to replace ESA with Proofpoint, WSA and the ASA firewalls with something from Palo Alto or Fortigate - with web filtering and application layer firewalling and threat detection at heart.