Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1228
Views
0
Helpful
7
Replies

Captive Portal Implementation on Cisco FTD

Chuck Reimer
Level 1
Level 1

‎02-16-2024 07:45 AM

We are looking at the possibility of implementing Captive Portal to authenticate internal users to resources behind an internal firewall running FTD 7.2.4 code and was wondering if anyone has any experience with this and the stability you have seen with this? Also what are the limitations you have found? Reading through the documentation, one concern I have is the requirement for SSL decryption and the resources required on the FTD. Also, this only would only work for interactive logins, how did you approach logins that weren't interactive (service account etc.). Any insight/guidance is greatly appreciated.

0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎02-16-2024 08:49 AM

Is this requirement for all the users in the LAN or any Guest users ?

In valid design most people implement 802.1x authenticaiton with identty for Lan users to get authenticated.

If you still looking to use FTD then check below guides :

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

https://rayka-co.com/lesson/cisco-ftd-identity-policy-active-authentication/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Chuck Reimer
Level 1
Level 1
In response to balaji.bandi

‎02-16-2024 08:55 AM

Internal LAN users only. We use 802.1x also but this particular use case is for PCI compliance.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Chuck Reimer

‎02-16-2024 10:18 AM

Do you have ISE in place for 802.1X then why not integrate with ISE and FTD/FMC

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Chuck Reimer
Level 1
Level 1
In response to balaji.bandi

‎02-16-2024 10:37 AM

We do but for PCI compliance, I think we need a different authoritative source for all devices protected. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Chuck Reimer

‎02-16-2024 10:53 AM

To be honestly not come across this requirement, since you already have identify make use of that always better. but again different organization have different compliance to follow. but its doubling up the time to take to get in to system if that is acceptable ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rob Ingram
VIP
VIP

‎02-16-2024 09:03 AM - edited ‎02-16-2024 09:29 AM

@Chuck Reimer why use captive portal? If you are using 802.1X you can send those bindings from ISE to the FTD via the FMC using pxGrid and create rules to permit/deny traffic based on the AD user/group transparently.

I've not tried it for the service accounts but perhaps you could use passive ID to learn the IP/user bindings from AD in ISE and send them to FMC/FTD.

0 Helpful

Chuck Reimer
Level 1
Level 1
In response to Rob Ingram

‎02-16-2024 11:04 AM

I believe with PCI compliance, users must be authenticated from a different authentication source than your internal authentication source.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card