Hi,
I've been struggling with an Active Authentication lab environment in my ASA FirePOWER version 6.2.2. I want to have a custom page so that anyone who wants to connect must enter credentials (if existing in my Active Directory server) or specify he/she is a guest and that's why I used HTTP Response Page. I have also a CA in the same AD server, so I followed this steps in order to set up the portal:
- Download CA Certificate and distribute it in every computers I want to test Active Authentication.
- Generate a CSR in FMC with CN as the DNS name associated to ASA's inside interface IP.
- Upload CSR to Windows Server Certificate Services and download the signed certificate.
- Install the certificate in the Internal CA that I generated.
- Create an SSL policy so that it decrypts every connection from "Unknown" to the captive portal using Decrypt-Resign action with Internal CA generated previously.
- Save changes and deploy.
Well... it's not working at all. When trying to navigate in the subnet I set up Active Auth, I notice this:
- Using Internet Explorer, I'm warned about an untrusted certificate, but I get the option to continue; I see later the custom response page, I provide credentials (or login as guest) and I navigate. It's the same thing in Mozilla Firefox.
- Using Chrome, I have more issues. Sometimes, mainly in incognito, I try to navigate and I'm redirected to the inside interface IP in port 885, but there's a big message "Connect to the network" with the button Connect. I press that button and get a new tab with the same message. It's like a loop.
- Another times, Chrome shows a security warning about untrusted certificates, but like in IE, I have the option to continue to custom authentication page, and I'm authorized.
- I don't understand why I'm being redirected to the IP address of inside interface instead of its DNS name, even if I have that register (forward and reverse) in local DNS server.
- When I'm not in incognito (Mozilla and Chrome) I'm not even blocked to some HTTPS pages! (and I have an ACP so that for Unknown identity, blocks everything different to the Captive portal)
And worst: I don't know why in the captive portal, I'm getting a certificate not signed by my AD CA, but signed by the same FirePOWER? It appears "Issued by" the DNS name of inside interface IP, even when I verified in Internal CAs that the CA I'm using is signed by my AD server.
I've followed a lot of tutorials, and tried to make it work during at least a month... but no results. Anyone knows what could be happening.
Thanks a lot.