View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0147 - ASA CX Passive Authentication

SEC0147 - ASA CX Passive Authentication

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
The video shows you the second method of obtaining user identity on Cisco ASA CX using Passive Authentication. We will leverage the User-to-IP mapping information provided by CDA by configuring CX device as a consumer. Once the mapping information is available to CX, minor modification will be performed on the Identity Policy and you will see how users are saved from having to enter their credentials as we saw in the Active Authentication. We will also discuss and demonstrate some caveats to this method towards the end of the lab.
 
Topic:
  • CX Passive Authentication
  • CDA Integration and Consumer Configuration
  • Identities Policy
  • Roaming Uers
Tag: 
asa
cx
ngfw
authentication
passive authentication
cda

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

5 comments

Submitted by sherief on Wed, 02/22/2017 - 15:25

Hi Metha,
I integrate ISE with CDA, i didn`t add domain in CDA.
I did all the steps from ASA side and CDA side, but I receive only very few users-IP mapping on my ASA.
i defined CDA as a radius in ASA configs.
I configured Ldap integration also in ASA
also i can see ASA as registered device normally under consumer devices.

any missing steps. ??

Submitted by admin on Thu, 02/23/2017 - 20:52

Can you let us know how exactly you are configuring ASA to integrate with CDA and if there is a documentation you follow? Are you doing Identity Firewall or with Cisco CX?

Submitted by sherief on Thu, 02/23/2017 - 23:21

Hi Metha, thanks for your kind reply,
I'm doing Identity firewalling, I can't find a recent document how to do the config on ASA side. I'm following old one (https://supportforums.cisco.com/document/80646/asa-idfw-identity-firewal...) except the section of installing the AD-agent software in AD server.
I'm only adding CDA as a radius server in ASA, and I make test from ASDM and give successful.

Thanks a lot.

Submitted by admin on Mon, 02/27/2017 - 21:24

We haven't seen ASA working directly with CDA so you might want to confirm with Cisco if it is supported.  The most common way today is to used ASA Firepower or FTD to integrate with AD Agent or through ISE.

Submitted by sherief on Wed, 02/22/2017 - 15:26

Hi Metha.
Do you have any video for ASA integration with CDA.

Poll

Vote for the Next Video Series