Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5609
Views
10
Helpful
4
Replies

Captive Portal Config in CISCO ASA

manu.mp
Level 1
Level 1

‎12-07-2016 02:39 AM - edited ‎03-12-2019 06:13 AM

Dear Friends,

Can we configure captive portal in CISCO  ASA . The requirement is. Employees should use their login username and password for accessing the internet. The username will be either a local user or LDAP user. Plz help me

1 person had this problem
Labels:
4 Replies 4

Michael Braun
Level 1
Level 1

‎04-10-2017 03:45 PM

Actually, you can.

https://supportforums.cisco.com/document/56421/asa-cut-through-authentication-proxy-configuration-and-examples

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113363-asa-cut-through-config-00.html

Well it may not be a portal, but you can let user authenticate before any traffic gets passed.

Should do the trick

Markus

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Michael Braun

‎04-10-2017 07:21 PM

Sorry - you're correct Markus.

I had forgotten about that feature. Maybe because I have never seen it used (and I've worked on hundreds of ASAs). :)

0 Helpful

Michael Braun
Level 1
Level 1
In response to Marvin Rhoads

‎04-11-2017 08:04 AM

Yes  i know, it is one of the most forgotten features and actually works like a charm.

We use it a lot if we have to RDP or SSH or whatever else from a dynamic IP to some server and of course do not want to open the port to the world or we just do not trust the aaa mechanics behind the FW.
In a practical sense, all ports you would like to open to get into your network from the outside world but didn't cause you are bouncing through dyn IP's and know i will not take but 10 seconds before your FW gets hit by drive by's - now you can.

So, http to alternate port, authenticate either LOCAL or AAA  - and you are good to go.

Cheers

Markus

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-10-2017 07:22 PM

Are you asking about the ASA by itself or for an ASA with FirePOWER services module active?

In the first case, you cannot have a captive portal on the ASA. EDIT - see below.

With FirePOWER, you can configure a captive portal if you have an external realm. Supported realm types are AD and LDAP. I don't believe local users are supported in this scheme.

Captive portal configuration is described in detail in the following Tech note:

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card