collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: FireSIGHT Captive Portal Active Authentication  (Read 42840 times)

Offline Pacerfan9

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 2
  • Certification: CCNP
FireSIGHT Captive Portal Active Authentication
« on: March 22, 2016, 02:04:54 PM »
I configured an identity policy in FireSIGHT 6.0.1 to use active authentication. The certificate presented is for my FQDN (firesight.mydomain.com for example). During active authentication the intercept comes from my firewalls ip address (192.168.1.254 for example) which creates a browser warning because of the mismatched address.

About 55 mins into the SEC0227 - ASA Firepower 6.0 Passive and Active Authentication video it is mentioned possibly adding the firewalls ip address to the SAN of a certificate. Can a private ip address be added to the SAN of a certificate issued by a Public CA? If I use my internal CA that will not be trusted by all devices in our environment.

I am thinking if the redirect could be forwarded to a fqdn and if the firewall could present a matching certificate that would eliminate this error. Is that or some other method possible?

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: FireSIGHT Captive Portal Active Authentication
« Reply #1 on: March 23, 2016, 05:22:57 PM »
I believe you used to be able to add private IP to public cert but is longer supported, although it does not hurt to check with your cert provider.
Of course, like you said, a proper way would have been the ASA redirecting to FQDN URL but I have yet to come across a way to do this on ASA or Firepower. At the same time, it is hard to believe it is no supported as this means that all active auth user will encounter cert warning.
I would check with Cisco TAC to see if they have a workaround for this.

Offline Pacerfan9

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 2
  • Certification: CCNP
Re: FireSIGHT Captive Portal Active Authentication
« Reply #2 on: March 24, 2016, 12:52:07 PM »
I have a case opened with TAC and I am waiting for a response from the engineer. I would like to use passive authentication with active fallback, as it currently stands I do not see how the active authentication would be usable since it is likely the machines needing the fallback would be the ones not joined to the domain and trusting an internal certificate.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: FireSIGHT Captive Portal Active Authentication
« Reply #3 on: March 24, 2016, 08:54:56 PM »
I hear you. Let us know what TAC says.

Offline robin

  • Cisco Newbie
  • *
  • Posts: 13
  • Reputation: 1
  • Certification: CCIE
Re: FireSIGHT Captive Portal Active Authentication
« Reply #4 on: April 04, 2016, 02:08:53 AM »
Hi Pacerfan9,

Could you please share the configuration about Internal Certs? How can i generate an Internal Certs,  I have just a CA Server(win 2008). I am confused about the Internal CA and Internal Certs.

Thanks

Offline Pacerfan9

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 2
  • Certification: CCNP
Re: FireSIGHT Captive Portal Active Authentication
« Reply #5 on: April 04, 2016, 07:16:27 PM »
I did not generate an internal cert, I obtained a certificate in PFX format from a public CA.

I used this document to explain how to convert it You are not allowed to view links. Register or Login.

I then imported the certificate under Objects, Object Management, PKI.
Added Public CA to Trusted CAs
Added FireSIGHT cert to Internal Certs

I think after that I needed to associate the certificate under System,  Configuration, HTTPS Certificate

Offline robin

  • Cisco Newbie
  • *
  • Posts: 13
  • Reputation: 1
  • Certification: CCIE
Re: FireSIGHT Captive Portal Active Authentication
« Reply #6 on: April 05, 2016, 10:36:11 AM »
Thanks Pacerfan9! ;D

Offline complexmind

  • Cisco Newbie
  • *
  • Posts: 2
  • Reputation: 0
  • Certification: CCNA
Re: FireSIGHT Captive Portal Active Authentication
« Reply #7 on: April 13, 2016, 08:27:30 AM »
+1 for hearing what TAC says about the certificate errors on captive portal with active auth. The cert errors basically make active authentication unusable.

I'll open up a case with TAC too. Maybe they'll have a workaround.
« Last Edit: April 13, 2016, 10:58:26 AM by complexmind »

Offline complexmind

  • Cisco Newbie
  • *
  • Posts: 2
  • Reputation: 0
  • Certification: CCNA
Re: FireSIGHT Captive Portal Active Authentication
« Reply #8 on: April 13, 2016, 11:19:05 AM »
I just heard back directly from a TierII engineer at TAC on this. Will post updates ASAP.

Offline Pacerfan9

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 2
  • Certification: CCNP
Re: FireSIGHT Captive Portal Active Authentication
« Reply #9 on: April 14, 2016, 06:33:26 PM »
My TAC case is still open. The engineer I am working with was not able to come up with a solution or workaround and is in the process of submitting an enhancement request. Hopefully people will continue to open up cases and Cisco will take this feature seriously. I also posted this on Cisco Support Forums and someone else had a bug created.

You are not allowed to view links. Register or Login


 

Related Topics

  Subject / Started by Replies Last post
2 Replies
19732 Views
Last post August 21, 2015, 12:12:13 PM
by vivekkupekar
1 Replies
28802 Views
Last post March 01, 2016, 11:45:35 PM
by MC
1 Replies
27857 Views
Last post July 09, 2016, 05:02:09 PM
by MC
1 Replies
53180 Views
Last post December 19, 2016, 09:32:23 PM
by MC
1 Replies
33549 Views
Last post September 18, 2017, 08:42:49 PM
by Administrator

SimplePortal 2.3.7 © 2008-2024, SimplePortal