The Cisco CDA is compatible with Cisco AD agent. If AD Agent is already deployed in the network, you can replace it by Cisco CDA with a similar corresponding configuration, without requiring software changes or upgrades in other components of the Identity Based Firewall solution—Active Directory servers and Identity consumer devices (ASA/WSA).
Before you transition from Cisco AD Agent to Cisco CDA, take a note of the following AD Agent configuration details:
• General configuration options:
Use the AD agent command adacfg options list
• Syslog servers, including IP address and facility:
Use the AD agent command adacfg syslog list
• Connected Active Directory DC list, including username, password, host and domain FQDNs:
Use the AD agent command adacfg dc list (does not show the password.)
• Consumer devices (or subnets), including IP address/subnet, shared secret:
Use the AD agent command adacfg client list (does not show the shared secret.)
See the Installation and Setup Guide for the Active Directory Agent, Release 1.0 for all the syntax and output examples for the above commands.
Install and configure the Cisco CDA to correspond to your existing Cisco AD Agent application.
• Optionally configure the Active Directory General Settings. AD monitoring in the Cisco CDA is the equivalent of dcStatusTime in Cisco AD agent (note that the 10 seconds default in Cisco CDA is different from the 60 seconds default in Cisco AD agent.)
History in Cisco CDA is the equivalent of dcHistoryTime in AD agent (note the 10 minutes default in CDA is different than the 24 hours default in AD Agent)
User logon expiration period in CDA is the equivalent of userLogonTTL in AD agent (here the 24 hours default remains the same).
• Set the security policy on the DC machines. The differences between the Cisco AD agent and Cisco CDA with respect to Active Directory security policy setting is applicable only for Windows 2008R2 servers. For Cisco CDA, set the account permission on Microsoft Windows 2008 R2 server as described in Step 2 of “Adding and Editing Active Directory Servers” section on page 7.
• Optionally, configure the Log Level setting in Cisco CDA to correspond to logLevel in AD Agent.
• Optionally, add any syslog servers from adacfg syslog list to Cisco CDA.
• Add all Active Directory Servers from adacfg dc list to Cisco CDA.
• Add all Identity Consumers from adacfg client list to Cisco CDA.
If you are replacing the AD agent server with the Cisco CDA server, using the same hostname/IP address, no changes are required in the consumer device (ASA/WSA) configuration, and consumer devices automatically connect to the Cisco CDA to retrieve identify mapping information.
If it is otherwise and you are newly adding a Cisco CDA server in your deployment, you have to update the configuration on the consumer device, to point to the new Cisco CDA server. For more information, refer to the ASA and WSA documentation on Cisco.com.