did you deploy the asacx with CDA? what experience?
i'm testing this configuration now. If you will read all guides mentioned above by Collin, you should properly configure asacx to passive user authentication with CDA.
the most things you have to do on m$ AD controller (especially if you want to use non admin account), CDA installation and configuration is quite straightforward. ASA CX configuration to use CDA is also simple. In configuring M$ i noticed, that although we had filrewall rule to accept wmi traffic active, we had to explicit allow tcp traffic from CDA.
CDA maps users to IP correctly if one user is logged to the machine. If two or more users are logged to the machine - CDA maps only last logged user, so if user A has a deny all policy and logs to the machine, and another user B with policy permit all logs to the same machine after user A - the policy probably will permit traffic from user A also - because in CDA mappings table will be record with mapping machine ip to only one user. Of course if user A would be logged to several different machines - several mappings (ip addresses) appears in cda table to this user. That behavior we observed in our test.
Also we noticed, that access policy which we build using as source user object - doesn't work when we using passive authentication with CDA. The logging traffic and showing which user what do works ok in this configuration.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :