FireSIGHT Captive Portal Active Authentication

Pacerfan9_2 · ‎03-22-2016

I configured an identity policy in FireSIGHT 6.0.1 to use active authentication. The certificate presented is for my FQDN (firesight.mydomain.com for example). During active authentication the intercept comes from my firewalls ip address (192.168.1.254 for example) which creates a browser warning because of the mismatched address.

I am thinking if the redirect could be forwarded to a fqdn and if the firewall could present a matching certificate that would eliminate this error. Is that or some other method possible? I will need a certificate that can be issued by a public CA to be used so it can be trusted by all devices in our environment.

pselder01 · ‎04-11-2016

I have the issue also. We have a wildcard certificate on the ASA but this does not get triggered because the FMC uses the ip address instead of the fqdn hostname.

The following bug report was created for this:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy03864

I hope that will help in tracking progress.

Or does anyone have another workaround?

Pacerfan9_2 · ‎04-11-2016

Thanks for the link to the bug report. I have a case open with tac and the engineer could not come up with a workaround. Hopefully Cisco can fix the bug sooner than later.

pselder01 · ‎04-11-2016

I think it will be for another few months. The affected version listed in the report is 6.1.0 which has not even come out yet. So any update after that could have it fixed. We're now on 6.0.1.

No idea what the release-cycle is for FMC.

Jay Wilson · ‎04-15-2016

Same here. I referenced this thread and the link above in my last email to the Cisco tech working on my case...

*sigh*

The 'half baked' upgrades are becoming more common. :(

jsvanberg · ‎09-05-2017

Is this still a issue, I have same problem with version 6.2?

BURKHARD LANDWEHR · ‎10-04-2017

We have also the same Problem with 6.2