12-07-2016 02:39 AM - edited 03-12-2019 06:13 AM
Dear Friends,
Can we configure captive portal in CISCO ASA . The requirement is. Employees should use their login username and password for accessing the internet. The username will be either a local user or LDAP user. Plz help me
04-10-2017 03:45 PM
Actually, you can.
https://supportforums.cisco.com/document/56421/asa-cut-through-authentication-proxy-configuration-and-examples
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113363-asa-cut-through-config-00.html
Well it may not be a portal, but you can let user authenticate before any traffic gets passed.
Should do the trick
Markus
04-10-2017 07:21 PM
Sorry - you're correct Markus.
I had forgotten about that feature. Maybe because I have never seen it used (and I've worked on hundreds of ASAs). :)
04-11-2017 08:04 AM
Yes i know, it is one of the most forgotten features and actually works like a charm.
We use it a lot if we have to RDP or SSH or whatever else from a dynamic IP to some server and of course do not want to open the port to the world or we just do not trust the aaa mechanics behind the FW.
In a practical sense, all ports you would like to open to get into your network from the outside world but didn't cause you are bouncing through dyn IP's and know i will not take but 10 seconds before your FW gets hit by drive by's - now you can.
So, http to alternate port, authenticate either LOCAL or AAA - and you are good to go.
Cheers
Markus
04-10-2017 07:22 PM
Are you asking about the ASA by itself or for an ASA with FirePOWER services module active?
In the first case, you cannot have a captive portal on the ASA. EDIT - see below.
With FirePOWER, you can configure a captive portal if you have an external realm. Supported realm types are AD and LDAP. I don't believe local users are supported in this scheme.
Captive portal configuration is described in detail in the following Tech note:
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide