Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1279
Views
0
Helpful
1
Replies

FirePOWER Captive Portal Active Authentication Issues

supportgns
Level 1
Level 1

‎06-07-2018 07:12 AM - edited ‎02-21-2020 07:51 AM

Hi,

I've been struggling with an Active Authentication lab environment in my ASA FirePOWER version 6.2.2. I want to have a custom page so that anyone who wants to connect must enter credentials (if existing in my Active Directory server) or specify he/she is a guest and that's why I used HTTP Response Page. I have also a CA in the same AD server, so I followed this steps in order to set up the portal:

  1. Download CA Certificate and distribute it in every computers I want to test Active Authentication.
  2. Generate a CSR in FMC with CN as the DNS name associated to ASA's inside interface IP.
  3. Upload CSR to Windows Server Certificate Services and download the signed certificate.
  4. Install the certificate in the Internal CA that I generated.
  5. Create an SSL policy so that it decrypts every connection from "Unknown" to the captive portal using Decrypt-Resign action with Internal CA generated previously. 
  6. Save changes and deploy.

Well... it's not working at all. When trying to navigate in the subnet I set up Active Auth, I notice this:

  • Using Internet Explorer, I'm warned about an untrusted certificate, but I get the option to continue; I see later the custom response page, I provide credentials (or login as guest) and I navigate. It's the same thing in Mozilla Firefox.
  • Using Chrome, I have more issues. Sometimes, mainly in incognito, I try to navigate and I'm redirected to the inside interface IP in port 885, but there's a big message "Connect to the network" with the button Connect. I press that button and get a new tab with the same message. It's like a loop.
  • Another times, Chrome shows a security warning about untrusted certificates, but like in IE, I have the option to continue to custom authentication page, and I'm authorized.
  • I don't understand why I'm being redirected to the IP address of inside interface instead of its DNS name, even if I have that register (forward and reverse) in local DNS server.
  • When I'm not in incognito (Mozilla and Chrome) I'm not even blocked to some HTTPS pages! (and I have an ACP so that for Unknown identity, blocks everything different to the Captive portal)

And worst: I don't know why in the captive portal, I'm getting a certificate not signed by my AD CA, but signed by the same FirePOWER? It appears "Issued by" the DNS name of inside interface IP, even when I verified in Internal CAs that the CA I'm using is signed by my AD server. 

I've followed a lot of tutorials, and tried to make it work during at least a month... but no results. Anyone knows what could be happening.

Thanks a lot.

4 people had this problem
Labels:
0 Helpful
1 Reply 1

jacopa
Level 1
Level 1

‎03-26-2019 12:41 PM

This device is really driving me crazy i have same authentication issues with non-domain joined computers, and i have tried a lot of things, i really feel this device its still ongoing work, and it really annoys me with this kind of failures wich for me are BASIC features, like good and easy to setup client authentication, redirection URL, and SSL cert for the authentication site. duh...
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card