The Cisco Context Directory Agent (CDA) is an application that runs on a Cisco Linux machine; monitors in real time a collection of Active Directory domain controller (DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and caches mappings of IP addresses and user identities in its database; and makes the latest mappings available to its client devices.
Client devices, such as the Cisco Adaptive Security Appliance (ASA) and the Cisco IronPort Web Security Appliance (WSA), interact with the Cisco CDA using the RADIUS protocol in order to obtain the latest set of IP-to-user-identity mappings, in any one of the following ways:
• On-Demand—The Cisco CDA can respond to an on-demand query from the client device for a specific mapping.
• Full Download—The Cisco CDA can respond to a request from the client device for the entire set of mappings currently in its cache.
For both the on-demand and full-download methods, the request from the client device can be specially tagged to indicate that it also includes a registration regarding any subsequent updates.
For example, when a client device requests a basic on-demand query, the Cisco CDA responds with the specific mapping that might have been found in its cache, and does not send any further updates about that mapping. On the other hand, if the on-demand query also includes a registration, the initial response from Cisco CDA is the same as before and if, at a later point in time, that specific mapping undergoes a change, then Cisco CDA proactively notifies the requesting client device (as well as any other client devices that have registered for notification) about the change in that specific mapping.
Similarly, when a client device requests a basic full download, the Cisco CDA transfers a snapshot of the session data containing all of the mappings currently found in its cache, and does not send any further updates. On the other hand, if the request is to register for replication, then the initial response from the Cisco CDA is the same as before. At a later point in time, if the set of mappings undergoes any sort of change (new mappings added or certain mappings changed and so on), then the Cisco CDA proactively notifies the requesting client device (as well as any other client devices that have registered for replication) about these changes, relative to the snapshot that was previously sent.
The IP-to-user-identity mappings that are discovered, maintained, and provided by the Cisco CDA can include not only IPv4 addresses, but also IPv6 addresses.
The Cisco CDA can send logs to one or more syslog servers.
The Cisco CDA continues to function if any of the Active Directory domain controllers or the client devices have failed. It obtains information from other domain controllers. However, there is no failover for the Cisco CDA. The Cisco CDA internally contains a “watchdog” functionality that continuously monitors the Linux processes internal to it, automatically restarting them if it detects that they have crashed. While there is no failover for CDA in itself, the solution as a whole does support failover, controlled by the consumer devices, using their capability to configure a primary and secondary CDA (similar to primary and secondary RADIUS server), and failover to the secondary server in case the primary is unresponsive. It should be noted that primary and secondary CDAs are completely unaware of each other, and do not exchange any state information.