Installation and Configuration Guide for Context Directory Agent, Release 1.0 - Working with Context Directory Agent [Cisco ASA 5500 Series Next Generation Firewalls]

Table Of Contents

Working with Context Directory Agent

Understanding the Cisco CDA User Interface

Supported Browsers

Logging into the Cisco CDA

Cisco CDA Dashboard

Working in the Cisco CDA User Interface

Consumer Devices

Adding and Editing Consumer Devices

Deleting Consumer Devices

Filtering Consumer Devices

Active Directory Servers

Adding and Editing Active Directory Servers

Deleting Active Directory Servers

Filtering Active Directory Servers

Active Directory General Settings

Syslog Servers

Adding and Editing Syslog Servers

Deleting Syslog Servers

Filtering Syslog Servers

Log Level Settings

IP-to-User-Identity Mappings

Mapping Filters

Registered Devices

Administrators

Password Policy

Session Timeout

Live Logs

Working with Context Directory Agent

The Cisco Context Directory Agent (CDA) is a web based application that supports HTTPS, using self-signed certificate.

This chapter contains:

•Understanding the Cisco CDA User Interface

•Working in the Cisco CDA User Interface

Understanding the Cisco CDA User Interface

This section contains:

•Supported Browsers

•Logging into the Cisco CDA

•Cisco CDA Dashboard

Supported Browsers

The following browsers are supported with the Cisco CDA:

Table 3-1 Supported Browsers for Cisco CDA

Operating System

Supported Browsers

Linux

Firefox versions 9 and 10

Win 7

Microsoft Internet Explorer versions 8, 9 (in compatibility mode), Firefox versions 9 and 11

Win XP

Microsoft Internet Explorer versions 8, Firefox versions 9 and 11

Mac OSX

Safari version 5.1.5

Related Topics:

•Logging into the Cisco CDA

•Cisco CDA Dashboard

Logging into the Cisco CDA

You can open a web browser and get connected to the Cisco CDA through the web interface.

To log in to the Cisco CDA, complete the following steps:

Step 1 Enter the Cisco CDA machine URL in the web browser, https://<ip_address/hostname>/cda

Step 2 Enter your user name and password in the Cisco CDA login page (Figure 3-1), and click Login.

Figure 3-1 Cisco CDA Login Page

Step 3 The Cisco CDA Dashboard is displayed (Figure 3-2) when you first log in.

Figure 3-2 Cisco CDA Dashboard

Related Topics:

•Supported Browsers

•Cisco CDA Dashboard

Cisco CDA Dashboard

The Cisco CDA Dashboard provides dashlets to quickly create, edit, or delete Active Directory servers, Consumer devices, Syslog servers, and Administrators.

It also provides dashlets with lists of existing Active Directory servers, Consumer devices, and Syslog servers. In addition, the dashboard provides links to Active Directory general settings, registered devices page, and log level settings. See Figure 3-2.

To go back to the Dashboard from any other page, click Home.

Related Topics:

•Supported Browsers

•Logging into the Cisco CDA

Working in the Cisco CDA User Interface

This section contains:

•Consumer Devices

•Active Directory Servers

•Syslog Servers

•IP-to-User-Identity Mappings

•Mapping Filters

•Registered Devices

•Administrators

•Password Policy

•Session Timeout

•Live Logs

Consumer Devices

Consumer devices are responsible for actively retrieving (and/or passively receiving) the latest IP-to-user-identity mappings from the Cisco CDA. You can add, edit or delete network devices. Cisco CDA validates that the IP address ranges in this table do not overlap.

This section contains:

•Adding and Editing Consumer Devices

•Deleting Consumer Devices

•Filtering Consumer Devices

Adding and Editing Consumer Devices

Consumer device entries in the dashlet are not synonymous with the actual ASA and WSA firewall devices. Instead, each Consumer Device entry here is a logical rule, permitting an IP address (if the Mask is 32), or a range of addresses (if the Mask is 0-31), to communicate with the Cisco CDA over RADIUS.

Creating a consumer device entry in the table or dashlet does not actually initiate any communication with the device. It only creates the rule. The Cisco CDA acts as the RADIUS server in this case, hence it does not initiate the conversation with the device. It is the actual consumer device that initiates the RADIUS conversation with the Cisco CDA. First add the consumer device IP address or range in the Cisco CDA, and then configure the device itself to contact the Cisco CDA using the CLI or management GUI.

To add or edit a consumer device, complete the following steps:

Step 1 Click Add on the Identity Consumers dashlet, or check the check box next to a device and click Edit to edit it. You can alternatively click Add Consumer Devices link on the Dashboard.

The Consumer Device Configuration dialog box appears (Figure 3-4).

Figure 3-3 Identity Consumers Dashlet

Figure 3-4 Consumer Device Configuration Dialog Box

Step 2 Fill in or edit the following details:

•Name—Name of the rule.

•IP Address—IP address (subnet) of the consumer device (range of devices).

•Mask (range)—A number between 0-32. This describes the consumer device IP range in CIDR notation.

•Shared Secret—Passphrase that a consumer device will use for communicating with the Cisco CDA device. The Shared secret entered here should be identical to that configured in the device with that IP address (or each of the multiple devices in the IP range), attempting to access the Cisco CDA via this rule.

Step 3 Check the Show Secret check box if you want the shared secret to be displayed in plain text.

Step 4 Click Save.

The new network device is listed in the Identity Consumers dashlet.

Related Topics:

•Deleting Consumer Devices

•Filtering Consumer Devices

Deleting Consumer Devices

To delete a Consumer device, complete the following steps:

Step 1 From the Identity Consumers dashlet, select the check box next to device you want to delete in the list and click Delete.

Cisco CDA will prompt for a confirmation.

Step 2 Click OK.

The consumer device is deleted.

Related Topics:

•Adding and Editing Consumer Devices

•Filtering Consumer Devices

Filtering Consumer Devices

You can filter Consumer devices based on the following criteria:

•IP Address

•Mask

•Name

To filter the Consumer Devices list, complete the following steps:

Step 1 Click the filter icon in the Identity Consumers dashlet.

Step 2 Fill in the criteria on which you want to filter.

Step 3 Press Enter.

Related Topics:

•Adding and Editing Consumer Devices

•Deleting Consumer Devices

Active Directory Servers

The Active Directory maintains the organization identities and their information. The Cisco CDA inter operates with the Active Directory (or the domain controller) to obtain the IP-to-user-identity mapping information using the MS WMI protocol. You can add, edit or delete Active Directory servers. You should also add a backup Active Directory Domain Controller machine.

This section contains:

•Adding and Editing Active Directory Servers

•Deleting Active Directory Servers

•Filtering Active Directory Servers

•Active Directory General Settings

Adding and Editing Active Directory Servers

Prerequisite

Make sure all the requirements as described in "Active Directory Requirements for Successful Connection with Cisco CDA" section are fulfilled, for a successful connection with Cisco CDA.

To add or edit an Active Directory server, complete the following steps:

Step 1 Click Add on the Active Directory Servers dashlet, or check the check box next to a server and click Edit to edit it. You can alternatively click Add Active Directory Server link on the Dashboard.

The Active Directory Server Configuration dialog box appears. (Figure 3-5).

Figure 3-5 Active Directory Server Configuration Dialog Box

Step 2 Fill in the following details:

•General Settings

–Display Name—Display name of the Active Directory server.

–Domain FQDN—Domain fully qualified domain name (FQDN) of the Active Directory server.

–Host FQDN—Host FQDN of the Active Directory server.

•Administrator

–User name—Username that the Cisco CDA will use to communicate with the Active Directory server.

–Password—Password that the Cisco CDA will use to communicate with the Active Directory server. It should be the password corresponding to the username specified above.

This account must have the necessary privileges as described in the "Active Directory Requirements for Successful Connection with Cisco CDA" section.

Step 3 Click Save.

The new Active Directory sever is listed in the Active Directory Servers dashlet.

If the Group Policy enforced on the Domain Controller is set to "Send NTLMv2 response only. Refuse LM & NTLM", see Figure 3-6, then you should use NTLMv2 to connect to the Domain Controller. You must check the "Use NTLMv2" check box in Active Directory General Settings, for the CDA to successfully connect to the Domain Controller.

To see what is the Group Policy applied on the Domain Controller:

Step 1 Go to Start > Administrative Tools > Group Policy Management

Step 2 Choose Default Domain Controllers Policy, right click and choose Edit.

Group Policy Management Editor appears.

Step 3 Go to Security Settings > Local Policies > Security Options.

The Local Security Settings tab shows the Group Policy.

Figure 3-6 Security Setting

Related Topics:

•Active Directory Requirements for Successful Connection with Cisco CDA

•Connectivity Requirements

•Deleting Active Directory Servers

•Filtering Active Directory Servers

•Active Directory General Settings

Deleting Active Directory Servers

To delete an Active Directory server, complete the following steps:

Step 1 From the Active Directory Servers dashlet, select the check box next to Active Directory server you want to delete in the list and click Delete.

Cisco CDA will prompt for a confirmation.

Step 2 Click OK.

The Active Directory server is deleted.

Related Topics:

•Adding and Editing Active Directory Servers

•Filtering Active Directory Servers

•Active Directory General Settings

Filtering Active Directory Servers

You can filter Active Directory servers based on the Domain FQDN.

To filter the Active Directory servers list, complete the following steps:

Step 1 Click the filter icon in the Active Directory Servers dashlet.

Step 2 Enter the Domain FQDN of the server.

Step 3 Press Enter.

Related Topics:

•Adding and Editing Active Directory Servers

•Deleting Active Directory Servers

•Active Directory General Settings

Active Directory General Settings

You can change the Active Directory General Settings to configure how the Cisco CDA interacts with the Active Directory servers.

To configure the Active Directory general settings, complete the following steps:

Step 1 Click the Active Directory General Settings link on the Dashboard.

The Active Directory General Settings dialog box is displayed.

Step 2 Fill in the following details:

•AD Monitoring—Time span between consecutive monitoring of the DC machine's up/down status.

•History—Specify the number of minutes in the past from which to start reading the security logs of DC machines that are configured. For example, if you want history for the past ten minutes, enter 10.

•User Logon Expiration Period—Time duration after which logged-in user is marked as logged-out.

•Use NTLMv2—Check this check box to use NTLMv2 protocol. This will cause CDA to use NTLMv2 authentication protocol when connecting to Active Directory Domain Controllers. This check box is not checked by default after installing Cisco CDA, patch 1.

Make sure all the requirements as described in "Active Directory Requirements for Successful Connection with Cisco CDA" section are fulfilled, for a successful connection with Cisco CDA.

If the Group Policy enforced on the Domain Controller is set to "Send NTLMv2 response only. Refuse LM & NTLM", see Figure 3-6, then you should use NTLMv2 to connect to the Domain Controller for the CDA to successfully connect to the Domain Controller.

Step 3 Click Save.

Related Topics:

•Adding and Editing Active Directory Servers

•Deleting Active Directory Servers

•Filtering Active Directory Servers

Syslog Servers

The Cisco CDA can forward logs containing administrative and troubleshooting information to one or more syslog servers. The contents of these logs are identical to that of the customer logs that are locally available on the Cisco CDA machine. You can add, edit or delete Syslog servers.

This section contains:

•Adding and Editing Syslog Servers

•Deleting Syslog Servers

•Filtering Syslog Servers

•Log Level Settings

Adding and Editing Syslog Servers

To add or edit a syslog server, complete the following steps:

Step 1 Click Add on the Syslog Servers dashlet, or check the check box next to a server and click Edit to edit it. You can alternatively click Add Syslog Servers link on the Dashboard.

The Syslog Server Configuration dialog box appears. (Figure 3-5).

Figure 3-7 Syslog Server Configuration Dialog Box

Step 2 Fill in the following details:

•Display Name—Display name of the syslog server.

•IP Address—IP address of the syslog server.

•Facility—Syslog facility.

Step 3 Click Save.

The new Syslog sever is listed in the Syslog Servers dashlet.

Related Topics:

•Deleting Syslog Servers

•Filtering Syslog Servers

•Log Level Settings

Deleting Syslog Servers

To delete a Syslog server, complete the following steps:

Step 1 From the Syslog Servers dashlet, select the check box next to server you want to delete in the list and click Delete.

Cisco CDA will prompt for a confirmation.

Step 2 Click OK.

The Syslog server is deleted.

Related Topics:

•Adding and Editing Syslog Servers

•Filtering Syslog Servers

•Log Level Settings

Filtering Syslog Servers

You can filter Syslog servers based on the following criteria:

•Name

•IP Address

•Facility

To filter the syslog server list, complete the following steps:

Step 1 Click the filter icon in the Syslog Servers dashlet.

Step 2 Fill in the criteria on which you want to filter.

Step 3 Press Enter.

Related Topics:

•Adding and Editing Syslog Servers

•Deleting Syslog Servers

•Log Level Settings

Log Level Settings

This is used to globally configure log level settings used for logs sent to syslog servers and the logs that are stored on the Cisco CDA machine and can be viewed in the user interface under live logs.

To configure the global log level settings, complete the following steps:

Step 1 Click the Log Level Settings link on the Dashboard.

The Global Log Level Settings dialog box is displayed.

Step 2 Select a log level for the Log Level drop-down list. Cisco CDA provides the following log levels:

•Fatal

•Error

•Warning

•Notice

•Info

•Debug

Step 3 Click Save.

Related Topics:

•Adding and Editing Syslog Servers

•Deleting Syslog Servers

•Filtering Syslog Servers

IP-to-User-Identity Mappings

Cisco CDA lists all the currently cashed IP-to-user-identity mappings and allows the administrator to refresh, filter and delete the mappings. Figure 3-8 shows the IP-to-user-identity mappings page.

Figure 3-8 IP-to-User-Identity Mappings Page

Listing the IP-to-User-Identity Mappings

To list the IP-to-user-identity mappings, choose Mappings > IP to Identity.

Refreshing the IP-to-User-Identity Mappings Page

this page gets automatically refreshed after every 10 seconds, by default. You can change the refresh rate to one of the following:

•20 seconds

•30 seconds

•1 minute

•2 minutes

•none

Filtering the IP-to-User-Identity Mappings Page

You can use the quick filter or advanced filter options to filter the IP-to-user-identity mapping records.

Step 1 Choose Mapping > IP to Identity.

The Mapping of IP Addresses to Identities page appears, which lists all the IP-to-user-identity mapping records.

Step 2 Click the Show drop-down to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or the Manage Preset Filters option, which allows you to manage preset filters for filtering.

Note To return to the IP-to-user-identity mapping list, choose All from the Show drop-down list to display all the mappings without filtering.

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters IP-to-user-identity mapping based on each attribute on the Mapping of IP Addresses to Identities page.

To filter, click inside any field and enter the search criteria in the text box. It refreshes the page with the results on the Mapping of IP Addresses to Identities page. If you clear the field, it displays the list of all the mappings on the Mapping of IP Addresses to Identities page.

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter IP-to-user-identity mapping by using variables that are more complex. It contains one or more filters that filter mappings based on the values that match the field descriptions. A filter on a single row filters mappings based on each attribute and the value that you define in the filter. Multiple filters can be used to match the values and filter mappings by using any one or all of the filters within a single advanced filter.

Step 1 Choose an attribute from the drop-down list. You can filter the IP-to-user-identity mapping records on any of the following record attributes:

•IP

•Mapping-Type

•Domain

•Mapping-Origin

•Time stamp

•User name

•Response-to-probe

Step 2 Choose the operator from the drop-down list.

Step 3 Enter the value for the attribute that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove a filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter, and click Save. Do not include spaces when creating the name for a preset filter. Click Cancel to clear the filter without saving the current filter.

Deleting the IP-to-User-Identity Mappings

You can delete the selected mappings or clear all the mapping records. Both of these operations are asynchronous by nature, therefore, it will take some time for the Identity to IP mappings page to reflect the change.

To delete a mapping, complete the following steps:

Step 1 Choose Mappings > IP to Identity

Step 2 Select the check box next to the mapping you want to delete

Step 3 Click Delete.

Mapping Filters

You can use the Mapping Filters to block particular users or IP addresses from being monitored by the Cisco CDA.

You can create filters and specify user names, IP addresses or both. The Cisco CDA will ignore mapping updates with the specified users and/or IP addresses, and will not collect mapping data from those updates. The data for the filtered users/IP addresses will not be cashed by the Cisco CDA. Hence, it will not be listed on the IP-to-Identity mapping page, nor will it be distributed to consumer devices.

To create Mapping filters, complete the following steps:

Step 1 Choose Mappings > Filters.

Step 2 Click Add.

The Mapping Filters Configuration dialog box is displayed.

Step 3 Fill in the following details:

•Username—Username of the device that needs to be blocked.

•IP Address—IP address of the device that needs to be blocked.

•Apply on existing mappings—Check this check box if you want the filter to apply on the existing IP-to-user-identity mapping records.

Step 4 Click Save.

The new filter will be listed on the filters page.

Registered Devices

Registered Devices page displays a list of consumer devices that are connected to CDA and have been subscribed to receive mapping updates for specific IP addresses (On demand with registration), or for the entire mapping database (Full download with registration).

Note that some consumer devices do not register for updates, and will not show up in this page, even though they communicate with CDA as required. For such devices, this does not indicate any issue. The Cisco WSA is an example of such a device.

To view all the registered devices, click on the Registered Devices tab in the home page.

This page lists the following details:

•Status

•IP Address

•Configuration Name

•Configuration Range

The status field indicates whether the device is "in-sync" (green) or "out-of-sync" (red) with the Cisco CDA. The other fields display information that was provided when the device was configured.

Administrators

You can add Cisco CDA administrators with admin or user privileges to access the Cisco CDA user interface.

An administrator with only user privilege has access to all the Cisco CDA GUI screens and functionality, except the System menu.

An administrator with both user and admin privileges has access to all the Cisco CDA GUI screens and functionality, including the System menu.

Adding and Editing Administrators

To add or edit an administrator, complete the following steps:

Step 1 Choose System > Administrators

The Administrators page appears.

Step 2 Do one of the following

•Click Add to add a new device

•Select the check box next to an existing administrator in the list and click Edit.

Step 3 Enter the following details:

•User name

•Password

•Verify Password

•Authority

•First Name

•Last Name

Step 4 Click Save to save add or edit the administrator.

Deleting Administrators

To delete an administrator, complete the following steps:

Step 1 Choose System > Administrators

Step 2 Select the check box next to the administrator you want to delete in the list and click Delete.

Cisco CDA will prompt for a confirmation.

Step 3 Click OK.

The administrator is deleted.

Password Policy

You can create a password policy for administrator accounts to enhance security. The policy that you define here is applied to all accounts with admin privilege in Cisco CDA.

To configure the password policy, complete the following steps:

Step 1 Choose System > Password Policy

The Password Policy page appears.

Step 2 Enter the following information:

•Check or uncheck the attributes a new password must contain:

–Lower case letters

–Upper case letters

–Digits

–Special characters

•Check or uncheck the attributes a new password must not contain:

–Three or more consecutive characters—Check this check box to restrict the use of three or more consecutive characters.

–Username (or reversed)—Check this check box to restrict the use of the administrator username or its characters in reverse order.

–"Cisco" (or reversed)—Check this check box to restrict the use of the word "cisco" or its characters in reverse order.

–Custom word (or Reversed)—Restrict the use of any word that you define or these characters in reverse order.

•Minimum Length—(Required) Specifies the minimum length of the password (in characters). The default is 4 characters.

•Maximum Length—(Required) Specifies the maximum length of the password (in characters). The default is 99 characters.

Step 3 Click Save to save the policy.

Session Timeout

Cisco CDA also allows you to determine the length of time a Cisco CDA GUI session can be inactive and still remain connected. You can specify a time in minutes after which Cisco CDA logs out the administrator. After a session timeout, the administrator must log in again to access the Cisco CDA user interface.

To configure the session timeout, complete the following steps:

Step 1 Choose System > Session Timeout

The Session Timeout page appears.

Step 2 Enter the Session timeout value in minutes.

Step 3 Click Save.

Live Logs

Cisco CDA live logs provide a mechanism for diagnosing, troubleshooting, and auditing the operations of CDA. Live logs gather all the information you need for auditing and troubleshooting the system. Live logs are stored in the db/reports.db file and in the configured Syslog servers. The live logs GUI presents up to the last 10,000 messages generated by CDA.

Message types

The Cisco CDA live logs list the following messages:

•CDA Control Messages

•Configuration Changes

•Mapping Updates

•Sync Requests

•CoA Based Traffic

•Session Data Snapshot Transfer

•On-demand Queries

•Keep Alive Requests

•Domain Status Query

•DC Status Tracking

Message Content

The Cisco CDA live log messages include the following information:

•Timestamp

•Severity

•Origin Component

•Message Coe

•Message Text

Log Levels

The following are the log levels and their status symbols supported by Cisco CDA:

Debug

Info

Notice

Warning

Error

Fatal

Verbosity Levels

The Cisco CDA enables you to configure log verbosity to one of the following values:

•NONE

•FATAL

•ERROR

•WARN

•INFO

•DEBUG

Filtering the Live Logs

You can filter the live logs on any of the log attribute. The log attributes are:

•Time stamp

•Severity

•Origin Component

•Message

•Attributes

To filter the live logs, complete the following steps:

Step 1 Click the filter icon in the Live Logs page.

Step 2 Enter the filter criteria in the text box.

The filtered data is displayed.

Refreshing the Live Logs Page

This page is automatically refreshed after every 10 seconds, by default. You can change the refresh rate to one of the following:

•20 seconds

•30 seconds

•1 minute

•2 minutes

•none

Deleting the Live Logs

You can clear all the live logs by clicking the Clear button.