cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
702
Views
0
Helpful
2
Replies

Identity firewall not matching IP to user via CDA

Mike Traylor
Level 1
Level 1

I have a lab set up to test ACL's with AD users/groups.

Current setup:

3 VMware instances on one host machine:

Microsoft Server 2012 with Active Directory and DNS

Cisco Context Directory Agent

Windows 7 

This host is connected to the "Server" interface of the firewall and both 

DC/DNS = 192.168.1.100

CDA = 192.168.1.200

Windows 7 = Varied (change to test IP Mapping of CDA)

Host = 192.168.1.10

ASA = 192.168.1.1

I have full communication between all devices, firewalls disabled on host machines, and full any/any rules on the firewall to prevent any traffic from being blocked as I troubleshoot this.

 

The agent is connected up to the domain controller and does correctly map users to IP's as I log in/out.

 

The ASA has the agent configured and tests just fine when I use the Test button in ASDM.

 

From the ASA CLI I am able to query AD and pull a list of AD groups and users.

I have ACL's created that use the domain\user as the source with any/any just trying to see if anything will match. 

 

When I go to monitoring>Identity>Users the users that I have in the ACL's appear as inactive.

 

Any assistance with this would be greatly appreciated.  Previously I had this lab set up with the AD Agent and was able to get this to work with on-demand mode but not full-download.  Now with CDA I am unable to get either going.

 

Thanks

2 Replies 2

Mike Traylor
Level 1
Level 1

After tweaking our ACL's we were able to get this to pull the IP to user mapping when in on-demand mode.

 

Full download mode still does not retrieve the mapping.

What tweaking did you do to get this working?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: