Table of Contents
These release notes describe the role of the Cisco Context Directory Agent in an identity-based solution, its limitations and restrictions (caveats), and related information. These release notes supplement the Cisco Context Directory Agent documentation that is included with the software, and cover the following topics:
- Context Directory Agent Requirements
- Context Directory Agent License Information
- Important Notes
- Installing the Context Directory Agent Software
- Open Caveats in Cisco Context Directory Agent Release 1.0
- Resolved Caveats in Cisco Context Directory Agent Release 1.0 Patch 1
- Resolved Caveats in Cisco Context Directory Agent Release 1.0 Patch 2
- Open Caveats in Cisco Context Directory Agent Release 1.0, Patch 2
- Resolved Caveats in Cisco Context Directory Agent Release 1.0 Patch 3
- Documentation Updates
- Related Documentation
Unlike traditional security mechanisms, Cisco’s security gateways such as ASA-CX, WSA, ASA and the Cloud-based CWS service, provide security to networks based on the context of the entity requiring access. While traditional network and content security gateways used to rely on the entity’s IP address only to determine if it should pass the security gateway or not, today’s Cisco products allow to take into account much additional information, and make decisions based on the complete context of the network entity, such as the user currently using it, what operating system it uses, what location is it in, and so on. Security administrators write policies using reference to this context, and when network traffic hits the security gateway, it needs to check what is the context of the originating (and sometimes, also the destined) IP address.
Cisco Context Directory Agent (CDA) is a mechanism that maps IP addresses to usernames in order to allow security gateways to understand which user is using which IP address in the network, so those security gateways can now make decisions based on those users (or the groups to which the users belong to).
CDA runs on a Cisco Linux machine; monitors in real time a collection of Active Directory domain controller (DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and caches mappings of IP addresses and user identities in its database; and makes the latest mappings available to its client devices.
Starting with patch 2, CDA can now receive information from Cisco Identity Services Engine (ISE) and Cisco Secure Access Control Server (ACS) in order to map users that do not directly login into Active Directory. CDA acts as a syslog server, receiving syslog messages from ISE and ACS, and populates the mapping table using network login information derived from ISE and ACS.
Client devices, such as the Cisco Adaptive Security Appliance (ASA) and the Cisco IronPort Web Security Appliance (WSA), interact with the Cisco CDA using the RADIUS protocol in order to obtain the latest set of IP-to-user-identity mappings, in any one of the following ways:
- On-Demand —The Cisco CDA can respond to an on-demand query from the client device for a specific mapping.
- Full Download —The Cisco CDA can respond to a request from the client device for the entire set of mappings currently in its cache.
Integration with ISE/ACS allows consumer devices such as ASA-CX and WSA to make security decisions for a large portion of network endpoints, including those that are not domain members. CDA passes the information to the consumer devices in the same format whether the user/domain information was received from a Windows domain controller event log or through integration with ISE/ACS.
CDA can support up to 80 domain controller machines, and can internally cache up to 64,000 IP-to-user-identity mappings. It supports up to 100 Identity consumer devices. It processes up to 1000 IP-to-user-identity mappings per second (input and output).
See the Installation and Configuration Guide for Context Directory Agent, Release 1.0 for information on the Context Directory Agent Requirements.
- Hardware requirements are met. See http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html#wp1053078 for more information.
- Firewall exceptions, if required, are configured on the network and the AD domain controller machines. See http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html#wp1053513 for more information.
- Active Directory requirements are met. See http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html#wp1053829 for more information.
- A supported version of Cisco ISE/ACS, if required, is installed on a machine in your deployment.
- Network and firewalls between ISE/ACS and CDA allow syslog traffic (either UDP or TCP, as configured on both ISE/ACS and CDA) to flow from ISE/ACS to CDA. This is applicable only if you have installed Cisco CDA 1.0, Patch 2 or later.
See the Installation and Configuration Guide for Context Directory Agent, Release 1.0 for information on how to install and configure the Active Directory Agent.
Conditions When the administrator list is open in one Cisco CDA GUI session, and some change is made to the administrator list in another concurrent GUI session of the same Cisco CDA, clicking the refresh icon in the Cisco CDA GUI does not reflect those change in the administrator list.
Conditions When CDA connects to the Active Directory DC, it retrieves login history from the DC. While history is being retrieved, the DC status might show as down. This may last for several minutes, depending on history size and system load.
Workaround The issue is transient and the DC status is updated as soon as history retrieval is complete. Click the refresh icon to update the display. Hence, the workaround provided here is not mandatory.
A Hotfix is available from Microsoft to address the root cause of this defect. The WMI process stops sending events to WMI clients from a Windows 7-based or Windows Server 2008 R2-based server, http://support.microsoft.com/kb/2705357
Table 2 lists the caveats that are resolved as part of this patch.
CDA needs to support user with non-admin privileges when connecting to Windows Domain Controller. Refer to the Installation and Configuration Guide for Context Directory Agent, Release 1.0 for more information.
Table 7 lists the product documentation available for CDA, Release 1.0.
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation as a RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks . Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.