02-12-2015 04:24 PM - edited 03-12-2019 05:37 AM
Hello
I would like to know if the Sourcefire is capable to use a captive portal to authenticate the users in the domain and get access to Internet?
Stay pending for an answer, thanks a lot.
02-12-2015 05:48 PM
Not to authenticate, no.
Blocking web traffic can display a static web page. Or Interactive block can allow a user to click through. But not authenticate.
03-17-2015 06:17 AM
Hi all,
This feature is very useful for "guest users" and/or no domain computer, that doesn't log in to AD.
Unfortunately, Others competitor has this feature and others important feature as: "SSL decrytion" PBR, virtual routers.
It's possible to request this "feature requrest" to Businiess Unity? or to have majoir visibility about the road-map of this implementation?
thank all
F.
03-20-2015 02:35 PM
This feature is on the roadmap. You should contact your Cisco account manager for more info.
03-29-2016 06:26 AM
Did anyone get this working on 5506...try everything but never get the authentication page...I saw sessions in DC pending authentication.... and anyone try this with android OS client.
THANKS
01-11-2016 12:37 AM
This feature is now available in Firepower (Sourcefire) version 6.0.0. For more information, Please have a look on below article.
Regards,
Sunil Kumar
Rate this if it helps!!
01-11-2016 12:37 AM
01-12-2016 07:17 AM
This is the solution:
****
On FirePOWER Services, the ASA forwards captive portal traffic - that is, the traffic containing the authentication of the client to the firewall - to the SFR (FirePOWER Services) module. It is necessary to configure the required captive-portal port in the ASA for this traffic to be forwarded.
On the ASA, this can be verified by executing
show run captive-portal
To configure captive portal on the ASA, perform the following
config t
captive-portal global port 885
To clear configuration
no captive-portal
Or:
clear conf captive-portal
To display the active rules and how many times they have been hit, run
show asp table classify domain captive-portal
****
****
Access policies apply to all traffic flowing through the system, including traffic that is destined to the firewall box itself. For example, if an access policy is applied that simply denies all traffic and the user is redirected for captive portal authentication, the access policy will block the user's attempt to authentication. An access policy rule must be configured to allow traffic for authentication. Configure an access rule to allow traffic destined to the sensor's IP address and chosen authentication port.
HTTP server logs
Authentication is performed by communicating with an HTTP server running on the sensor. It outputs logs to /var/log/captive_portal.log.
****
****
For Captive portal, following processes should be up and running , and their status can be confirmed with the following (On the FirePOWER CLI as root):
expert
sudo su -
pmtool status | grep snort
pmtool status | grep de
pmtool status | grep adi
pmtool status | grep SFDataCorrelator
ps -eaf | grep bltd
ps -ef | grep idhttpsd
In addition, verify that the idhttpsd process is listening on the expected port.
netstat -anp | grep 885
****
****
To use captive portal with HTTPS traffic, an SSL policy must be created to decrypt the traffic and associated with an AC policy.
****
01-13-2016 12:20 AM
Filippo, first of all thank you for a great post - very useful during troubleshooting.
Did confirm that idhttpsd is not started in my setup,
root@asafp01:~# ps -ef | grep idhttpsd
root 4480 3926 0 08:04 ttyS1 00:00:00 grep idhttpsd
netstat -anp | grep 885
Tried to start the process manual, but without success as idhttpsd.conf is missing
Anything you seen?
02-13-2016 12:37 AM
FYI, got a bug created for the issues reported - captive portal fails for traffic with a vlan tag.
https://tools.cisco.com/bugsearch/bug/CSCuy17900
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide