08-11-2014 08:29 AM - edited 03-11-2019 09:37 PM
I have a lab set up to test ACL's with AD users/groups.
Current setup:
3 VMware instances on one host machine:
Microsoft Server 2012 with Active Directory and DNS
Cisco Context Directory Agent
Windows 7
This host is connected to the "Server" interface of the firewall and both
DC/DNS = 192.168.1.100
CDA = 192.168.1.200
Windows 7 = Varied (change to test IP Mapping of CDA)
Host = 192.168.1.10
ASA = 192.168.1.1
I have full communication between all devices, firewalls disabled on host machines, and full any/any rules on the firewall to prevent any traffic from being blocked as I troubleshoot this.
The agent is connected up to the domain controller and does correctly map users to IP's as I log in/out.
The ASA has the agent configured and tests just fine when I use the Test button in ASDM.
From the ASA CLI I am able to query AD and pull a list of AD groups and users.
I have ACL's created that use the domain\user as the source with any/any just trying to see if anything will match.
When I go to monitoring>Identity>Users the users that I have in the ACL's appear as inactive.
Any assistance with this would be greatly appreciated. Previously I had this lab set up with the AD Agent and was able to get this to work with on-demand mode but not full-download. Now with CDA I am unable to get either going.
Thanks
08-12-2014 02:45 PM
After tweaking our ACL's we were able to get this to pull the IP to user mapping when in on-demand mode.
Full download mode still does not retrieve the mapping.
12-05-2014 12:35 PM
What tweaking did you do to get this working?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: