Same Issue

kh.farhad · ‎05-23-2016

We're using an asa firepower 5515 which it's sfr is managed by a firesight management center vm. I've configured it's captive portal and it was working for about 1 month with some problems. For some clients the address in addressbar of browser redirects to ip address of inside firewall interface on captive port but it takes about 5 minutes to load and when I checked the logs it seems that all the time sfr is requesting a drop for trraffic to captive portal but I have configured a trust for traffic to port 4455 (captive port). For some other users it never opens. So I decided to use passive authentication with user agent. Now other users that are not joint in Microsoft AD can not be authenticated because captive portal never shows up.

I have used this link http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html to configure the firesight manager and I have generated the certificate in firesight manager NOT in sfr expert mode. Can it be the cause of problem?

This is the log of /var/log/captive_portal.log on sfr expert mode attached.

I also used this thread https://supportforums.cisco.com/discussion/12424996/cisco-asa-sourcefire-captive-portal and output of all commands are attached.

By the way this device is driving me crazy please someone help me on this.

yogdhanu · ‎05-23-2016

Hi

What's the code version on SFR module and ASA. It works on 6.0 but there are some known issues there. If you are on 6.0, I would suggest to upgrade to 6.0.1 first and then test.

kh.farhad · ‎05-23-2016

Hi, thank you for replying. ASA os is 9.6(1), sfr is 6.0.1 (Build 29), firesight manager is 6.0.1.1-4 which are the latest versions. I don't know what is wrong with it.

Jetsy Mathew · ‎06-05-2016

Hello Farhad,

If you think all the configurations are correct as per the version and still face issues, then please contact TAC to verify the issue.

Regards

Jetsy

kh.farhad · ‎05-23-2016

Isn't there anyone with any experience with captive portals?

RAFAEL LOPEZ · ‎06-02-2016

Same Issue

Firesigth 6.0.1

Firepower 6.0.1

ASA 9.6.1 (you can fix the problem of 90% cpu whit command no threat-detection basic-threat & no threat-detection statistics access-list)

the certificate for the active actentication (captive portal) we made that with OpenSSL but not work

and also TAC create a new one on Firesigth but the same result :(

if we test the connectiviti to the ASA IP addres and port it looks like is open

on windows CMD

telnet 10.10.10.1 885

when a suer try to see any web page (even if the web page belongs to a rule that not have to filter by user) the web browser try to reach the asa ip add and the port for authentication and not load the response page (the one that can be customised ) or the basic web authentication (it shoud appear a dialog box asking for username and pass)

the ip add of the inside interface on asa is 10.10.10.1 and the host is 10.10.11.23

on ASDM ->real-time log viewer

SFR requested to drop TCP packet from inside:10.10.11.23/58852 to identity:10.10.10.1/885

i have installed the Cisco Firsigth User Agent 2.3 on a machine that IS NOT the AD (and the status of connections to the AD and to the Firesigth is OK)

AD server is 2k8 windows

and when we download users and groups (from firesigth>system>realm>User download>download now) in the tasks show

Download users/groups from Realm-Test. LDAP download successful: 12 groups, 0 users downloaded

The customer wanna kill me i have an Open case whit TAC if they answer me i will post it

Regards and i hope that some one could help!

kh.farhad · ‎06-05-2016

Hi Rafael,

I have installed AD agent it's working fine for users that their systems are joined to the domain. When they login or logoff its notification goes to the management center immediately. But not all of the computers are joined to the domain so the problem still exist and for some users accidentally the page does not load and the same message is shown in the log messages of asdm > sfr requests drop for packets destined to captive portal.

Any solution yet?

RAFAEL LOPEZ · ‎06-08-2016

Hi, kh.farhad
i make it work, when i press download button under realm i get the groups and users !

1.-change on realm type from Ldap to AD

2.-secure conection to AD (ssl) and also upload the server certificate

3.-i change all ip to FQD
the identity source instade of use ip i use the fqdn of the host where is installed the User Agent, and also on the aplication
on the Firepower user Agent aplication(is not instaled on the AD)>general >Agent name FQDN of that local host
on the tab "Active directory Servers">host i use the fqdn of AD(active directory server)
on tab "firepower Management Center" >host the fqdn of Firesigth

even if all looks good doublecheck on the folder where the Cisco firepower user agent is isntalled
C:\Program Files (x86)\Cisco Systems, Inc\Cisco Firepower User Agent for Active Directory>

there is an application called >Tools>under "User MAP" tab> check export IPv4 addresses with mapped users

and download it to CSV

4.-on the firesith>events>users you should be able to see users

5.-on the AD server you should be able to see logon logof events,!!! very important

the Firepowers have to resolve the fqdn of the AD (tha have to have internal DNS and the serch domain)
try to nslookup on expert level or

use on the firepower cli
> system support ping AD.server.local

where AD.server.local is your fqdn AD

6.- under access control polocy>make the first rule to allow
source local network ;destination any to the port 885
(the one that you define under identity policy >advanced port & the same port should be configured on the ASA captiveportal config)

7.-at the end of the access rules if you have the default action to trust before that make a new rule that allow any any

8.-at the identity policy i use the certificate created by openssl on a win 7 machine

9.-reboot all (firesigth,firepowers,ASAs)

!!!!!
the behavior is if a user is not on the local database (when you download users and groups) the computer should
prompt on a web browser like firefox or chrome and show a warning (if you dont have an trusted CA)
https://10.10.10.1:885/x.auth?r=3&s=10.10.10.47&a=1&u=http%3A%2F%2Fslither.io%2F
where 10.10.10.1 is the interfaces of inside and the 10.10.10.47 is the ip add of the user
!!!!!

10.-try again and if it works take a vacations!

i have a question can you change https://10.10.10.1:885/x.auth? ; to https://ASAxxxx:885/x.auth?

i explain this in my very bad english, because i did found that on the guides. and maybe i cloud help to someone.

Captive portal does not load some times