topic Re: Multi-factor authentication for Captive Portal on FTD in Network Security

Multi-factor authentication for Captive Portal on FTD

vaibhav.parlekar1 — Fri, 21 Feb 2020 15:10:01 GMT

Hi,

Has anyone tried integrating Okta or any other two-factor authentication with captive portal on FTD. Couldn't find any configuration example on the same. Any help would be great.

Vaibhav

Re: Multi-factor authentication for Captive Portal on FTD

nspasov — Mon, 22 Jan 2018 16:27:17 GMT

Hello Vaibhav-

This is currently not supported. I would suggest reaching out to your local Cisco team and ask them to create an enhancement request and provide you with the ID.

Sorry to bring the bad news 😞

Thank you for rating helpful posts!

Re: Multi-factor authentication for Captive Portal on FTD

mludwig89 — Wed, 30 Jan 2019 09:23:17 GMT

Just for anyone else that ends up here and using something other than OKTA. (RSA and Duo are supported as of 6.3)

RA VPN: Two-Factor Authentication

Firepower Threat Defense now supports two-factor authentication for RA VPN users using the Cisco AnyConnect Secure Mobility Client. For the two-factor authentication process, we support:

First factor: any RADIUS or LDAP/AD server
Second factor: RSA tokens or DUO passcodes pushed to mobile

For more information on Duo multi-factor authentication (MFA) for FTD, see the Cisco Firepower Threat Defense (FTD) VPN with AnyConnect documentation on the Duo Security website.

Supported platforms: FTD

Documentation:

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/new_features.html

Re: Multi-factor authentication for Captive Portal on FTD

markus.albisser1 — Fri, 15 May 2020 07:32:11 GMT

Hi all

Based on the fact that this solution here is already two years old, is there in the mean time a possibility that Firepower can do MFA to enhance security?

Thank you

Markus

Re: Multi-factor authentication for Captive Portal on FTD

mludwig89 — Fri, 15 May 2020 12:02:46 GMT

Markus.albisser
MFA is supported as of code, 6.3 (RSA & DUO). The link to the documentation is in the above post.

Re: Multi-factor authentication for Captive Portal on FTD

markus.albisser1 — Fri, 15 May 2020 14:53:30 GMT

Hi mludwig89

Thanks for your feedback here. Do you also know if this applicable to the Captive Portal part of FP? What we want to do is to authenticate users with the Captive Portal and then to use their IP address and AD group membership for FP rules, for example grant access to a certain server. And we are looking that the user has not only to put his username/password into the Captive Portal, best would be also to be prompted to get an MFA request (Azure here is preferred).

Thanks

Markus

Re: Multi-factor authentication for Captive Portal on FTD

Hrvoje Samec — Tue, 01 Dec 2020 18:43:53 GMT

Hi Markus,

have you found a solution to this problem?

Re: Multi-factor authentication for Captive Portal on FTD

markus.albisser1 — Wed, 02 Dec 2020 04:51:46 GMT

Hi Hrvoje

Unfortunately not, FP actually does not support MFA on their internal Captive Portal. For the moment we cannot go into this direction. It is open on our side in which direction we go, either if MFA is an absolute need we have to evaluate another solution of course outside Cisco (ISE-PIC does not scale for us as well and the ISE is too big for this function). As this topic is on hold for the moment we will start the evaluate process once it comes up again.

Thanks

Markus