I configured an identity policy in FireSIGHT 6.0.1 to use active authentication. The certificate presented is for my FQDN (firesight.mydomain.com for example). During active authentication the intercept comes from my firewalls ip address (192.168.1.254 for example) which creates a browser warning because of the mismatched address.

About 55 mins into the SEC0227 - ASA Firepower 6.0 Passive and Active Authentication video it is mentioned possibly adding the firewalls ip address to the SAN of a certificate. Can a private ip address be added to the SAN of a certificate issued by a Public CA? If I use my internal CA that will not be trusted by all devices in our environment.

I am thinking if the redirect could be forwarded to a fqdn and if the firewall could present a matching certificate that would eliminate this error. Is that or some other method possible?

I have a case opened with TAC and I am waiting for a response from the engineer. I would like to use passive authentication with active fallback, as it currently stands I do not see how the active authentication would be usable since it is likely the machines needing the fallback would be the ones not joined to the domain and trusting an internal certificate.

Hi Pacerfan9,

Could you please share the configuration about Internal Certs? How can i generate an Internal Certs,  I have just a CA Server(win 2008). I am confused about the Internal CA and Internal Certs.

Thanks

Thanks Pacerfan9!

I just heard back directly from a TierII engineer at TAC on this. Will post updates ASAP.