Functional Overview

Figure 1-1 represents a simplified view of the Cisco CDA solution. In this example, a user logs in from a computer and generates web traffic by requesting access to a server. The client device intercepts the web traffic and sends a RADIUS request to the Cisco CDA asking for the user who logged into the computer. The Cisco CDA, which has been maintaining the latest set of IP-to-user-identity mappings, sends the user information to the client device. The client device uses the user identity information to determine whether or not to grant access to the end user.

In case ASA is deployed in the network as a VPN concentrator, the Cisco CDA accepts mapping update events in addition to the login events received from the Active Directory.

Figure 1-1 Cisco CDA Architecture

 

The Cisco CDA is responsible for:

 • Supplying (push and pull, single and bulk) IP-to-user-identity mappings to the consumer devices.

 • Receiving notification on IP-to-user-identity mapping from consumer devices.

 • Providing an interface to retrieve the status of various components (Cisco CDA and domain controllers).

 • Maintaining a session directory of IP-to-user-identity mappings.

 • Caching the session information.

 • Learning the mappings at real time and notifying the consumer devices of the changes.

 • Reading historical log data to learn about existing IP-to-user-identity mappings.

 • Providing configuration mechanism using the GUI to configure the Cisco CDA, viewing the concurrent mapping list and log events.

 • Periodically cleaning expired mappings. Expiration is defined by user logon TTL.

The Cisco CDA interacts with the following components in a network:

 • Consumer Device

 • Active Directory Domain Controller Machines

 • Syslog Servers