Installation and Configuration Guide for Context Directory Agent, Release 1.0 - Context Directory Agent Overview [Cisco ASA 5500 Series Next Generation Firewalls]

Table Of Contents

Context Directory Agent Overview

Functional Overview

Consumer Device

Active Directory Domain Controller Machines

Syslog Servers

Cisco CDA Performance and Scalability

CDA Deployment Recommendations

Context Directory Agent Overview

The Cisco Context Directory Agent (CDA) is an application that runs on a Cisco Linux machine; monitors in real time a collection of Active Directory domain controller (DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and caches mappings of IP addresses and user identities in its database; and makes the latest mappings available to its client devices.

Client devices, such as the Cisco Adaptive Security Appliance (ASA) and the Cisco IronPort Web Security Appliance (WSA), interact with the Cisco CDA using the RADIUS protocol in order to obtain the latest set of IP-to-user-identity mappings, in any one of the following ways:

•On-Demand—The Cisco CDA can respond to an on-demand query from the client device for a specific mapping.

•Full Download—The Cisco CDA can respond to a request from the client device for the entire set of mappings currently in its cache.

For both the on-demand and full-download methods, the request from the client device can be specially tagged to indicate that it also includes a registration regarding any subsequent updates.

For example, when a client device requests a basic on-demand query, the Cisco CDA responds with the specific mapping that might have been found in its cache, and does not send any further updates about that mapping. On the other hand, if the on-demand query also includes a registration, the initial response from Cisco CDA is the same as before and if, at a later point in time, that specific mapping undergoes a change, then Cisco CDA proactively notifies the requesting client device (as well as any other client devices that have registered for notification) about the change in that specific mapping.

Similarly, when a client device requests a basic full download, the Cisco CDA transfers a snapshot of the session data containing all of the mappings currently found in its cache, and does not send any further updates. On the other hand, if the request is to register for replication, then the initial response from the Cisco CDA is the same as before. At a later point in time, if the set of mappings undergoes any sort of change (new mappings added or certain mappings changed and so on), then the Cisco CDA proactively notifies the requesting client device (as well as any other client devices that have registered for replication) about these changes, relative to the snapshot that was previously sent.

The IP-to-user-identity mappings that are discovered, maintained, and provided by the Cisco CDA can include not only IPv4 addresses, but also IPv6 addresses.

The Cisco CDA can send logs to one or more syslog servers.

The Cisco CDA continues to function if any of the Active Directory domain controllers or the client devices have failed. It obtains information from other domain controllers. However, there is no failover for the Cisco CDA. The Cisco CDA internally contains a "watchdog" functionality that continuously monitors the Linux processes internal to it, automatically restarting them if it detects that they have crashed. While there is no failover for CDA in itself, the solution as a whole does support failover, controlled by the consumer devices, using their capability to configure a primary and secondary CDA (similar to primary and secondary RADIUS server), and failover to the secondary server in case the primary is unresponsive. It should be noted that primary and secondary CDAs are completely unaware of each other, and do not exchange any state information.

Related Topic:

Functional Overview

Functional Overview

Figure 1-1 represents a simplified view of the Cisco CDA solution. In this example, a user logs in from a computer and generates web traffic by requesting access to a server. The client device intercepts the web traffic and sends a RADIUS request to the Cisco CDA asking for the user who logged into the computer. The Cisco CDA, which has been maintaining the latest set of IP-to-user-identity mappings, sends the user information to the client device. The client device uses the user identity information to determine whether or not to grant access to the end user.

In case ASA is deployed in the network as a VPN concentrator, the Cisco CDA accepts mapping update events in addition to the login events received from the Active Directory.

Figure 1-1 Cisco CDA Architecture

The Cisco CDA is responsible for:

•Supplying (push and pull, single and bulk) IP-to-user-identity mappings to the consumer devices.

•Receiving notification on IP-to-user-identity mapping from consumer devices.

•Providing an interface to retrieve the status of various components (Cisco CDA and domain controllers).

•Maintaining a session directory of IP-to-user-identity mappings.

•Caching the session information.

•Learning the mappings at real time and notifying the consumer devices of the changes.

•Reading historical log data to learn about existing IP-to-user-identity mappings.

•Providing configuration mechanism using the GUI to configure the Cisco CDA, viewing the concurrent mapping list and log events.

•Periodically cleaning expired mappings. Expiration is defined by user logon TTL.

The Cisco CDA interacts with the following components in a network:

•Consumer Device

•Active Directory Domain Controller Machines

•Syslog Servers

Consumer Device

Client devices are responsible for actively retrieving (and/or passively receiving) the latest IP-to-user-identity mappings from the Cisco CDA. A consumer device is responsible for:

•Retrieving the IP-to-user-identity mappings from the Cisco CDA.

•Receiving notifications of IP-to-user-identity mappings from the Cisco CDA.

•Enforcing identity based firewall policy.

•Basic monitoring of the Active Directory connectivity via the Cisco CDA.

•Retrieving group information directly from the Active Directory.

•Web-auth fallback for IPs that the Cisco CDA did not map to identity.

•Forwarding of new mappings revealed by consumer devices via the web-auth to the Cisco CDA.

•Forwarding IP-to-user-identity mapping for VPN sessions.

•Running NetBIOS probing and forwarding disconnect notification to the Cisco CDA.

These updates are sent as RADIUS Accounting-Request messages.

Related Topics:

•Active Directory Domain Controller Machines

•Syslog Servers

Active Directory Domain Controller Machines

The Cisco Context Directory Agent monitors the security event log of the Active Directory Domain Controllers in order to retrieve information about user logins and deliver this data to the consumer devices.

Upon startup CDA reads a time based window (history) of users that are already logged-in. After CDA is up and running it monitors and retrieves user logins in realtime. Connection is required between CDA and the Active Directory domain controller for retrieving the user login events.

To connect to the Active Directory Domain Controllers, the CDA uses an Active Directory user.

An Active Directory user used by CDA must have the required permissions in order to connect and monitor the Active Directory Domain Controllers

The Active directory user used by CDA can be a member of the Domain Admin Group; however this is not mandatory if you have installed Cisco CDA patch 1 (any future CDA patches would include patch 1 functionality as well).

The connection between CDA and the Active Directory Domain Controller is also authenticated using MS NTLM protocol. CDA patch 1 supports NTLMv1 and NTLMv2.

Related Topics

•Permission Required when an Active Directory User is a Member of the Domain Admin Group

•Permission Required when an Active Directory User is Not a Member of the Domain Admin Group

Syslog Servers

The Cisco CDA can forward logs containing administrative and troubleshooting information to one or more syslog servers. It also updates the IP-to-user-identity mapping information. The contents of these logs are identical to that of the customer logs that are locally available on the Cisco CDA machine. The syslog mechanism allows this information to be distributed remotely, to any target machine running a syslog server and capable of receiving syslog messages.

Related Topics:

•Consumer Device

•Active Directory Domain Controller Machines

Cisco CDA Performance and Scalability

The Cisco CDA can support up to 80 domain controller machines, and can internally cache up to 64,000 IP-to-user-identity mappings. It supports up to 100 Identity consumer devices. Cisco CDA processes 1000 IP-to-user-identity mappings per second (input and output).

The Cisco CDA is tested to support three Syslog servers, twenty administrators, and five concurrent admin GUI sessions.

CDA Deployment Recommendations

It is recommended to consider the following aspects while deploying CDA:

•Cisco CDA interoperates with the consumer devices using the UDP protocol. Therefore, it is recommended for CDA to be located geographically near the consumer devices. This is mainly important when CDA sends bulk data to the consumer device, which can be time consuming over the WAN.

•It is recommended that any CDA node in the deployment receive all user login information from the Active Directory Domain Controllers. This will allow consumer devices to interoperate with the local CDA for all user logins data. Moreover, having the Active Directory Domain Controller geographically near the CDA will increase reliability.

•To achieve high availability you can use two CDAs with the same configuration where both CDAs must retrieve same user login information from the same Active Directory Domain Controllers. It is the role of the consumer device to switch to the second CDA in case the first CDA is non-responding.

Figure 1-2 The Recommended Cisco CDA Deployment Type

	Installation and Configuration Guide for Context Directory Agent, Release 1.0
	Context Directory Agent Overview
Installation and Configuration Guide for Context Directory Agent, Release 1.0 Preface Context Directory Agent Overview Installing and Configuring Context Directory Agent Working with Context Directory Agent Context Directory Agent Command Reference Index	Download this chapter Context Directory Agent Overview Download the complete book Context Directory Agent Book PDF (PDF - 4 MB) Feedback Table Of Contents Context Directory Agent Overview Functional Overview Consumer Device Active Directory Domain Controller Machines Syslog Servers Cisco CDA Performance and Scalability CDA Deployment Recommendations Context Directory Agent Overview The Cisco Context Directory Agent (CDA) is an application that runs on a Cisco Linux machine; monitors in real time a collection of Active Directory domain controller (DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and caches mappings of IP addresses and user identities in its database; and makes the latest mappings available to its client devices. Client devices, such as the Cisco Adaptive Security Appliance (ASA) and the Cisco IronPort Web Security Appliance (WSA), interact with the Cisco CDA using the RADIUS protocol in order to obtain the latest set of IP-to-user-identity mappings, in any one of the following ways: •On-Demand—The Cisco CDA can respond to an on-demand query from the client device for a specific mapping. •Full Download—The Cisco CDA can respond to a request from the client device for the entire set of mappings currently in its cache. For both the on-demand and full-download methods, the request from the client device can be specially tagged to indicate that it also includes a registration regarding any subsequent updates. For example, when a client device requests a basic on-demand query, the Cisco CDA responds with the specific mapping that might have been found in its cache, and does not send any further updates about that mapping. On the other hand, if the on-demand query also includes a registration, the initial response from Cisco CDA is the same as before and if, at a later point in time, that specific mapping undergoes a change, then Cisco CDA proactively notifies the requesting client device (as well as any other client devices that have registered for notification) about the change in that specific mapping. Similarly, when a client device requests a basic full download, the Cisco CDA transfers a snapshot of the session data containing all of the mappings currently found in its cache, and does not send any further updates. On the other hand, if the request is to register for replication, then the initial response from the Cisco CDA is the same as before. At a later point in time, if the set of mappings undergoes any sort of change (new mappings added or certain mappings changed and so on), then the Cisco CDA proactively notifies the requesting client device (as well as any other client devices that have registered for replication) about these changes, relative to the snapshot that was previously sent. The IP-to-user-identity mappings that are discovered, maintained, and provided by the Cisco CDA can include not only IPv4 addresses, but also IPv6 addresses. The Cisco CDA can send logs to one or more syslog servers. The Cisco CDA continues to function if any of the Active Directory domain controllers or the client devices have failed. It obtains information from other domain controllers. However, there is no failover for the Cisco CDA. The Cisco CDA internally contains a "watchdog" functionality that continuously monitors the Linux processes internal to it, automatically restarting them if it detects that they have crashed. While there is no failover for CDA in itself, the solution as a whole does support failover, controlled by the consumer devices, using their capability to configure a primary and secondary CDA (similar to primary and secondary RADIUS server), and failover to the secondary server in case the primary is unresponsive. It should be noted that primary and secondary CDAs are completely unaware of each other, and do not exchange any state information. Related Topic: Functional Overview Functional Overview Figure 1-1 represents a simplified view of the Cisco CDA solution. In this example, a user logs in from a computer and generates web traffic by requesting access to a server. The client device intercepts the web traffic and sends a RADIUS request to the Cisco CDA asking for the user who logged into the computer. The Cisco CDA, which has been maintaining the latest set of IP-to-user-identity mappings, sends the user information to the client device. The client device uses the user identity information to determine whether or not to grant access to the end user. In case ASA is deployed in the network as a VPN concentrator, the Cisco CDA accepts mapping update events in addition to the login events received from the Active Directory. Figure 1-1 Cisco CDA Architecture The Cisco CDA is responsible for: •Supplying (push and pull, single and bulk) IP-to-user-identity mappings to the consumer devices. •Receiving notification on IP-to-user-identity mapping from consumer devices. •Providing an interface to retrieve the status of various components (Cisco CDA and domain controllers). •Maintaining a session directory of IP-to-user-identity mappings. •Caching the session information. •Learning the mappings at real time and notifying the consumer devices of the changes. •Reading historical log data to learn about existing IP-to-user-identity mappings. •Providing configuration mechanism using the GUI to configure the Cisco CDA, viewing the concurrent mapping list and log events. •Periodically cleaning expired mappings. Expiration is defined by user logon TTL. The Cisco CDA interacts with the following components in a network: •Consumer Device •Active Directory Domain Controller Machines •Syslog Servers Consumer Device Client devices are responsible for actively retrieving (and/or passively receiving) the latest IP-to-user-identity mappings from the Cisco CDA. A consumer device is responsible for: •Retrieving the IP-to-user-identity mappings from the Cisco CDA. •Receiving notifications of IP-to-user-identity mappings from the Cisco CDA. •Enforcing identity based firewall policy. •Basic monitoring of the Active Directory connectivity via the Cisco CDA. •Retrieving group information directly from the Active Directory. •Web-auth fallback for IPs that the Cisco CDA did not map to identity. •Forwarding of new mappings revealed by consumer devices via the web-auth to the Cisco CDA. •Forwarding IP-to-user-identity mapping for VPN sessions. •Running NetBIOS probing and forwarding disconnect notification to the Cisco CDA. These updates are sent as RADIUS Accounting-Request messages. Related Topics: •Active Directory Domain Controller Machines •Syslog Servers Active Directory Domain Controller Machines The Cisco Context Directory Agent monitors the security event log of the Active Directory Domain Controllers in order to retrieve information about user logins and deliver this data to the consumer devices. Upon startup CDA reads a time based window (history) of users that are already logged-in. After CDA is up and running it monitors and retrieves user logins in realtime. Connection is required between CDA and the Active Directory domain controller for retrieving the user login events. To connect to the Active Directory Domain Controllers, the CDA uses an Active Directory user. An Active Directory user used by CDA must have the required permissions in order to connect and monitor the Active Directory Domain Controllers The Active directory user used by CDA can be a member of the Domain Admin Group; however this is not mandatory if you have installed Cisco CDA patch 1 (any future CDA patches would include patch 1 functionality as well). The connection between CDA and the Active Directory Domain Controller is also authenticated using MS NTLM protocol. CDA patch 1 supports NTLMv1 and NTLMv2. Related Topics •Permission Required when an Active Directory User is a Member of the Domain Admin Group •Permission Required when an Active Directory User is Not a Member of the Domain Admin Group Syslog Servers The Cisco CDA can forward logs containing administrative and troubleshooting information to one or more syslog servers. It also updates the IP-to-user-identity mapping information. The contents of these logs are identical to that of the customer logs that are locally available on the Cisco CDA machine. The syslog mechanism allows this information to be distributed remotely, to any target machine running a syslog server and capable of receiving syslog messages. Related Topics: •Consumer Device •Active Directory Domain Controller Machines Cisco CDA Performance and Scalability The Cisco CDA can support up to 80 domain controller machines, and can internally cache up to 64,000 IP-to-user-identity mappings. It supports up to 100 Identity consumer devices. Cisco CDA processes 1000 IP-to-user-identity mappings per second (input and output). The Cisco CDA is tested to support three Syslog servers, twenty administrators, and five concurrent admin GUI sessions. CDA Deployment Recommendations It is recommended to consider the following aspects while deploying CDA: •Cisco CDA interoperates with the consumer devices using the UDP protocol. Therefore, it is recommended for CDA to be located geographically near the consumer devices. This is mainly important when CDA sends bulk data to the consumer device, which can be time consuming over the WAN. •It is recommended that any CDA node in the deployment receive all user login information from the Active Directory Domain Controllers. This will allow consumer devices to interoperate with the local CDA for all user logins data. Moreover, having the Active Directory Domain Controller geographically near the CDA will increase reliability. •To achieve high availability you can use two CDAs with the same configuration where both CDAs must retrieve same user login information from the same Active Directory Domain Controllers. It is the role of the consumer device to switch to the second CDA in case the first CDA is non-responding. Figure 1-2 The Recommended Cisco CDA Deployment Type
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks