hello all,

did you deploy the asacx with CDA? what experience?

i'm testing this configuration now. If you will read all guides mentioned above by Collin, you should properly configure asacx to passive user authentication with CDA.

the most things you have to do on m$ AD controller (especially if you want to use non admin account), CDA installation and configuration is quite straightforward. ASA CX configuration to use CDA is also simple. In configuring M$ i noticed, that although we had filrewall rule to accept wmi traffic active, we had to explicit allow tcp traffic from CDA.

CDA maps users to IP correctly if one user is logged to the machine. If two or more users are logged to the machine - CDA maps only last logged user, so if user A has a deny all policy and logs to the machine, and another user B with policy permit all logs to the same machine after user A - the policy probably will permit traffic from user A also - because in CDA mappings table will be record with mapping machine ip to only one user. Of course if user A would be logged to several different machines - several mappings (ip addresses) appears in cda table to this user. That behavior we observed in our test.

Also we noticed, that access policy which we build using as source user object - doesn't work when we using passive authentication with CDA. The logging  traffic and showing which user what do works ok in this configuration.

The active authentication we didn't check yet.

version of our test asa cx is

Cisco ASA CX Platform 9.2.1.1 (48)

Best regards,

Maciek