https://community.cisco.com/t5/network-security/active-authentication-with-ftd-amp-fmc-and-chrome-issues/m-p/4159647#M1074301 <P>can you tell me how you configure the csr with openssl thats included the DNS and IP SAN?</P><P>&nbsp;</P><P>thank you,</P> Wed, 30 Sep 2020 19:50:50 GMT chong00011 2020-09-30T19:50:50Z https://community.cisco.com/t5/network-security/active-authentication-with-ftd-amp-fmc-and-chrome-issues/m-p/3367357#M975106 <P>Hi,</P> <P>&nbsp;</P> <P>I've been developing a lab of integrating FTD and FMC with an Active Directory to test Passive and Active Authentication. With Passive it works like a charm, I applied several policies like URL and Application filtering to users authenticated by starting Windows session, and effectively they are blocked.</P> <P>&nbsp;</P> <P>With Active Authentication, it's different: it asks for credentials, I provide them and it works, applying URL filering policies correctly. However, I have the following issues related to authentication process:</P> <UL> <LI>When using Google Chrome to try to access the Internet by HTTP (e.g. just typing google.com), it just says "Connect to the network" and when I click Connect, it opens a new window in the same page.</LI> <LI><SPAN>When doing the same with IE or Firefox I get a certificate error (even if I downloaded the certificate and added to trusted certificates in Windows), but I get the option to continue. Then it prompts credentials, and I can access successfully.</SPAN></LI> </UL> <P><SPAN>I've attached some screenshots of what I've dealing with. I'm trying to find out if this is a Chrome issue or if I'm missing some configuration in my firewall.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks for your help.</SPAN></P> Fri, 21 Feb 2020 15:38:31 GMT https://community.cisco.com/t5/network-security/active-authentication-with-ftd-amp-fmc-and-chrome-issues/m-p/3367357#M975106 supportgns 2020-02-21T15:38:31Z https://community.cisco.com/t5/network-security/active-authentication-with-ftd-amp-fmc-and-chrome-issues/m-p/3678444#M975108 <P>Hi,</P> <P>&nbsp;</P> <P>After months of dealing with it, I think I've found the solution. It's an issue related to certificate used in Active Authentication tab in Identity Policy. I generated a CSR in FMC but I found out that Google Chrome was annoying me because of the SAN missing... and FMC actually does not support SAN field in CSR generator.&nbsp;</P> <P>So I decided to:</P> <P>1. Create a new root CA, CSR and private key all from OpenSSL (and distribute my local OpenSSL CA between all computers&nbsp;covered by&nbsp;Active Authentication).</P> <P>2. CSR in OpenSSL include DNS SAN and IP SAN. In my case, these are the inside IP of the Firepower and its corresponding DNS register.</P> <P>3. Issue a certificate to DNS name of inside IP.</P> <P>4. Import certificate and it's private key associated, into FMC &gt; Objects &gt; Internal Certs.</P> <P>5. Use the certificate in Identity Policy &gt; Active Authentication.</P> <P>6. Deploy.</P> <P>&nbsp;</P> <P>Now it's working as I expected. And I can verify that because from a computer that has my OpenSSL Root CA certificate installed in Certificate Store, but it's not covered by Active Authentication policy, if I access to https://&lt;Inside-IP&gt;:885 or https://&lt;DNS-Name-Inside-IP&gt;:885, I get the green padlock in Firefox and Chrome.</P> <P>&nbsp;</P> <P>So when dealing with certificates and Active Authentication, ensure that you can issue a certificate with SAN (and if possible include IP in the SAN), and the most important: get rid of CSR generator in FMC!</P> Tue, 31 Jul 2018 16:27:21 GMT https://community.cisco.com/t5/network-security/active-authentication-with-ftd-amp-fmc-and-chrome-issues/m-p/3678444#M975108 supportgns 2018-07-31T16:27:21Z https://community.cisco.com/t5/network-security/active-authentication-with-ftd-amp-fmc-and-chrome-issues/m-p/3678445#M975109 <P>&nbsp;</P> <P>After months of dealing with it, I think I've found the solution. It's an issue related to certificate used in Active Authentication tab in Identity Policy. I generated a CSR in FMC but I found out that Google Chrome was annoying me because of the SAN missing... and FMC actually does not support SAN field in CSR generator.&nbsp;</P> <P>So I decided to:</P> <P>1. Create a new root CA, CSR and private key all from OpenSSL (and distribute my local OpenSSL CA between all computers&nbsp;covered by&nbsp;Active Authentication).</P> <P>2. CSR in OpenSSL include DNS SAN and IP SAN. In my case, these are the inside IP of the Firepower and its corresponding DNS register.</P> <P>3. Issue a certificate to DNS name of inside IP.</P> <P>4. Import certificate and it's private key associated, into FMC &gt; Objects &gt; Internal Certs.</P> <P>5. Use the certificate in Identity Policy &gt; Active Authentication.</P> <P>6. Deploy.</P> <P>&nbsp;</P> <P>Now it's working as I expected. And I can verify that because from a computer that has my OpenSSL Root CA certificate installed in Certificate Store, but it's not covered by Active Authentication policy, if I access to https://&lt;Inside-IP&gt;:885 or https://&lt;DNS-Name-Inside-IP&gt;:885, I get the green padlock in Firefox and Chrome.</P> <P>&nbsp;</P> <P>So when dealing with certificates and Active Authentication, ensure that you can issue a certificate with SAN (and if possible include IP in the SAN), and the most important: get rid of CSR generator in FMC!</P> Tue, 31 Jul 2018 16:28:12 GMT https://community.cisco.com/t5/network-security/active-authentication-with-ftd-amp-fmc-and-chrome-issues/m-p/3678445#M975109 supportgns 2018-07-31T16:28:12Z https://community.cisco.com/t5/network-security/active-authentication-with-ftd-amp-fmc-and-chrome-issues/m-p/4159647#M1074301 <P>can you tell me how you configure the csr with openssl thats included the DNS and IP SAN?</P><P>&nbsp;</P><P>thank you,</P> Wed, 30 Sep 2020 19:50:50 GMT https://community.cisco.com/t5/network-security/active-authentication-with-ftd-amp-fmc-and-chrome-issues/m-p/4159647#M1074301 chong00011 2020-09-30T19:50:50Z