04-17-2018 06:37 AM - edited 02-21-2020 07:38 AM
Hi,
I've been developing a lab of integrating FTD and FMC with an Active Directory to test Passive and Active Authentication. With Passive it works like a charm, I applied several policies like URL and Application filtering to users authenticated by starting Windows session, and effectively they are blocked.
With Active Authentication, it's different: it asks for credentials, I provide them and it works, applying URL filering policies correctly. However, I have the following issues related to authentication process:
I've attached some screenshots of what I've dealing with. I'm trying to find out if this is a Chrome issue or if I'm missing some configuration in my firewall.
Thanks for your help.
07-31-2018 09:27 AM
Hi,
After months of dealing with it, I think I've found the solution. It's an issue related to certificate used in Active Authentication tab in Identity Policy. I generated a CSR in FMC but I found out that Google Chrome was annoying me because of the SAN missing... and FMC actually does not support SAN field in CSR generator.
So I decided to:
1. Create a new root CA, CSR and private key all from OpenSSL (and distribute my local OpenSSL CA between all computers covered by Active Authentication).
2. CSR in OpenSSL include DNS SAN and IP SAN. In my case, these are the inside IP of the Firepower and its corresponding DNS register.
3. Issue a certificate to DNS name of inside IP.
4. Import certificate and it's private key associated, into FMC > Objects > Internal Certs.
5. Use the certificate in Identity Policy > Active Authentication.
6. Deploy.
Now it's working as I expected. And I can verify that because from a computer that has my OpenSSL Root CA certificate installed in Certificate Store, but it's not covered by Active Authentication policy, if I access to https://<Inside-IP>:885 or https://<DNS-Name-Inside-IP>:885, I get the green padlock in Firefox and Chrome.
So when dealing with certificates and Active Authentication, ensure that you can issue a certificate with SAN (and if possible include IP in the SAN), and the most important: get rid of CSR generator in FMC!
07-31-2018 09:28 AM
After months of dealing with it, I think I've found the solution. It's an issue related to certificate used in Active Authentication tab in Identity Policy. I generated a CSR in FMC but I found out that Google Chrome was annoying me because of the SAN missing... and FMC actually does not support SAN field in CSR generator.
So I decided to:
1. Create a new root CA, CSR and private key all from OpenSSL (and distribute my local OpenSSL CA between all computers covered by Active Authentication).
2. CSR in OpenSSL include DNS SAN and IP SAN. In my case, these are the inside IP of the Firepower and its corresponding DNS register.
3. Issue a certificate to DNS name of inside IP.
4. Import certificate and it's private key associated, into FMC > Objects > Internal Certs.
5. Use the certificate in Identity Policy > Active Authentication.
6. Deploy.
Now it's working as I expected. And I can verify that because from a computer that has my OpenSSL Root CA certificate installed in Certificate Store, but it's not covered by Active Authentication policy, if I access to https://<Inside-IP>:885 or https://<DNS-Name-Inside-IP>:885, I get the green padlock in Firefox and Chrome.
So when dealing with certificates and Active Authentication, ensure that you can issue a certificate with SAN (and if possible include IP in the SAN), and the most important: get rid of CSR generator in FMC!
09-30-2020 12:50 PM
can you tell me how you configure the csr with openssl thats included the DNS and IP SAN?
thank you,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide