Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3061
Views
0
Helpful
6
Replies

ASA Captive Portal Certificate

JRDIAZ758
Level 1
Level 1

‎03-28-2017 05:45 AM - edited ‎03-12-2019 06:20 AM

My users are not very PC savy so when Firepower redirects them to the captive portal, sometimes they do not click continue to proceed to the portal (since its a untrusted https site), so i want to apply a internal trusted cert to it so it takes them directly to it. 

so how can i apply a certificate to my captive portal ??

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-18-2017 12:32 PM

When you setup captive portal it gives you the option to select the certificate from among those installed on your server.

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/realms_and_identity_policies.html#task_B09D4711593E4506890BB8BE25B39B31

So first get and upload a certificate onto FMC and it will then be available for use. If you have a wildcard certificate issued from a trusted CA for organizational internal use, that usually works fine.

0 Helpful

JRDIAZ758
Level 1
Level 1
In response to Marvin Rhoads

‎04-18-2017 12:32 PM

hey, for the cert to work it needs to point to a name. now how do i make firepower redirect the user to a URL instead of an IP?

becuase this is what i get for the captive portal

https://10.215.5.37:885/x.auth?s=%2FrZ81pWdODMVFRWqLU36fY4Jww395sMbfzcSSki6KRw%3D&u=http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkID%3D219472%26clcid%3D0x409

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to JRDIAZ758

‎04-20-2017 12:58 AM

I'm not sure if you can do that currently. I would suggest openeing a TAC case to check.

If it was your own internally generated certificate, you could make the CN equal to the IP address or alternatively add a Subject Alternative Name (SAN) of the IP address.

0 Helpful

mwebb
Level 1
Level 1
In response to JRDIAZ758

‎05-11-2017 09:49 AM

When using HTTP Response page Firepower will not redirect to hostname.  Thus captive portal as people are used to using it is broken.  Especially so in a BYOD environment (Universities, Hospitals, Hotels, Restaurants, Malls, etc) Clicking through SSL warnings is terrible posture, especially for a security company.   See bug here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz37162

If possible please open a case under this bug and contact your account rep to get some exposure.  For some reason this is listed as an "enhancement"q

0 Helpful

Dill
Level 1
Level 1
In response to mwebb

‎10-16-2018 10:32 AM

Captive Portal was working by using the FQDN in version v6.2.3 now after the update to v6.2.3.6-37, the bug is back and using the IP address instead causing certificate errors.   Even with an IP as SAN you still get the certificate warning in Firefox.  

0 Helpful

abdy
Level 1
Level 1
In response to Dill

‎05-21-2020 08:27 PM

I have the same problem.
I cannot avoid this annoying cert warning.

Appreciate if someone can share the solution of this issue.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card