This feature is very useful for "guest users" and/or no domain computer, that doesn't log in to AD.
Unfortunately, Others competitor has this feature and others important feature as: "SSL decrytion" PBR, virtual routers.
It's possible to request this "feature requrest" to Businiess Unity? or to have majoir visibility about the road-map of this implementation?
This feature is now available in Firepower (Sourcefire) version 6.0.0. For more information, Please have a look on below article.
Rate this if it helps!!
This is the solution:
On FirePOWER Services, the ASA forwards captive portal traffic - that is, the traffic containing the authentication of the client to the firewall - to the SFR (FirePOWER Services) module. It is necessary to configure the required captive-portal port in the ASA for this traffic to be forwarded.
On the ASA, this can be verified by executing
show run captive-portal
To configure captive portal on the ASA, perform the following
captive-portal global port 885
To clear configuration
clear conf captive-portal
To display the active rules and how many times they have been hit, run
show asp table classify domain captive-portal
Access policies apply to all traffic flowing through the system, including traffic that is destined to the firewall box itself. For example, if an access policy is applied that simply denies all traffic and the user is redirected for captive portal authentication, the access policy will block the user's attempt to authentication. An access policy rule must be configured to allow traffic for authentication. Configure an access rule to allow traffic destined to the sensor's IP address and chosen authentication port.
HTTP server logs
Authentication is performed by communicating with an HTTP server running on the sensor. It outputs logs to /var/log/captive_portal.log.
For Captive portal, following processes should be up and running , and their status can be confirmed with the following (On the FirePOWER CLI as root):
sudo su -
pmtool status | grep snort
pmtool status | grep de
pmtool status | grep adi
pmtool status | grep SFDataCorrelator
ps -eaf | grep bltd
ps -ef | grep idhttpsd
In addition, verify that the idhttpsd process is listening on the expected port.
netstat -anp | grep 885
To use captive portal with HTTPS traffic, an SSL policy must be created to decrypt the traffic and associated with an AC policy.
Filippo, first of all thank you for a great post - very useful during troubleshooting.
Did confirm that idhttpsd is not started in my setup,
root@asafp01:~# ps -ef | grep idhttpsd
root 4480 3926 0 08:04 ttyS1 00:00:00 grep idhttpsd
netstat -anp | grep 885
Tried to start the process manual, but without success as idhttpsd.conf is missing
Anything you seen?