Re: Active Authentication with FTD & FMC and Chrome issues

supportgns · ‎04-17-2018

Hi,

I've been developing a lab of integrating FTD and FMC with an Active Directory to test Passive and Active Authentication. With Passive it works like a charm, I applied several policies like URL and Application filtering to users authenticated by starting Windows session, and effectively they are blocked.

With Active Authentication, it's different: it asks for credentials, I provide them and it works, applying URL filering policies correctly. However, I have the following issues related to authentication process:

When using Google Chrome to try to access the Internet by HTTP (e.g. just typing google.com), it just says "Connect to the network" and when I click Connect, it opens a new window in the same page.
When doing the same with IE or Firefox I get a certificate error (even if I downloaded the certificate and added to trusted certificates in Windows), but I get the option to continue. Then it prompts credentials, and I can access successfully.

I've attached some screenshots of what I've dealing with. I'm trying to find out if this is a Chrome issue or if I'm missing some configuration in my firewall.

Thanks for your help.

supportgns · ‎07-31-2018

Hi,

After months of dealing with it, I think I've found the solution. It's an issue related to certificate used in Active Authentication tab in Identity Policy. I generated a CSR in FMC but I found out that Google Chrome was annoying me because of the SAN missing... and FMC actually does not support SAN field in CSR generator.

So I decided to:

1. Create a new root CA, CSR and private key all from OpenSSL (and distribute my local OpenSSL CA between all computers covered by Active Authentication).

2. CSR in OpenSSL include DNS SAN and IP SAN. In my case, these are the inside IP of the Firepower and its corresponding DNS register.

3. Issue a certificate to DNS name of inside IP.

4. Import certificate and it's private key associated, into FMC > Objects > Internal Certs.

5. Use the certificate in Identity Policy > Active Authentication.

6. Deploy.

Now it's working as I expected. And I can verify that because from a computer that has my OpenSSL Root CA certificate installed in Certificate Store, but it's not covered by Active Authentication policy, if I access to https://<Inside-IP>:885 or https://<DNS-Name-Inside-IP>:885, I get the green padlock in Firefox and Chrome.

So when dealing with certificates and Active Authentication, ensure that you can issue a certificate with SAN (and if possible include IP in the SAN), and the most important: get rid of CSR generator in FMC!

supportgns · ‎07-31-2018