Showing results for 
Search instead for 
Did you mean: 

Cisco ASA SourceFire Captive Portal

Level 1
Level 1



I would like to know if the Sourcefire is capable to use a captive portal to authenticate the users in the domain and get access to Internet?


Stay pending for an answer, thanks a lot.



9 Replies 9

Level 1
Level 1

Not to authenticate, no.

Blocking web traffic can display a static web page. Or Interactive block can allow a user to click through. But not authenticate. 

Hi all,

This feature is very useful for "guest users" and/or no domain computer, that doesn't log in to AD.
Unfortunately, Others competitor has this feature and others important feature as:  "SSL decrytion" PBR, virtual routers.
It's possible to request this  "feature requrest" to Businiess Unity? or to have majoir visibility about the road-map of this implementation?  


thank all


This feature is on the roadmap.  You should contact your Cisco account manager for more info.

Did anyone get this working on 5506...try everything but never get the authentication page...I saw sessions in DC pending authentication.... and anyone try this with android OS client.


Sunil Kumar
Cisco Employee
Cisco Employee

This feature is now available in Firepower (Sourcefire) version 6.0.0. For more information, Please have a look on below article. 

Configure Active Directory Integration with Firepower Appliance for Single-Sign-On & Captive Portal Authentication


Sunil Kumar

Rate this if it helps!!

I Sunil,

your link was incorrect.

In attachment you can find configuration document that I followed but without success.
Users experience: The users will redirection to the portal-page, but the ASA drop the request.

Please can someone help us?

This is the solution:

  1. Authentication port


On FirePOWER Services, the ASA forwards captive portal traffic - that is, the traffic containing the authentication of the client to the firewall - to the SFR (FirePOWER Services) module. It is necessary to configure the required captive-portal port in the ASA for this traffic to be forwarded.

On the ASA, this can be verified by executing

    show run captive-portal

To configure captive portal on the ASA, perform the following

    config t

    captive-portal global port 885

To clear configuration

    no captive-portal


    clear conf captive-portal

To display the active rules and how many times they have been hit, run

    show asp table classify domain captive-portal


  1. Allowing traffic for authentication


Access policies apply to all traffic flowing through the system, including traffic that is destined to the firewall box itself. For example, if an access policy is applied that simply denies all traffic and the user is redirected for captive portal authentication, the access policy will block the user's attempt to authentication. An access policy rule must be configured to allow traffic for authentication. Configure an access rule to allow traffic destined to the sensor's IP address and chosen authentication port.

HTTP server logs

Authentication is performed by communicating with an HTTP server running on the sensor. It outputs logs to /var/log/captive_portal.log.


  1. Verifying system status


For Captive portal, following processes should be up and running , and their status can be confirmed with the following (On the FirePOWER CLI as root):


    sudo su -

    pmtool status | grep snort

    pmtool status | grep de

    pmtool status | grep adi

    pmtool status | grep SFDataCorrelator

    ps -eaf | grep bltd

    ps -ef | grep idhttpsd

In addition, verify that the idhttpsd process is listening on the expected port.

    netstat -anp | grep 885


  1. Captive portal with HTTPS traffic


To use captive portal with HTTPS traffic, an SSL policy must be created to decrypt the traffic and associated with an AC policy. 


Filippo, first of all thank you for a great post - very useful during troubleshooting.

Did confirm that idhttpsd is not started in my setup,

root@asafp01:~# ps -ef | grep idhttpsd
root      4480  3926  0 08:04 ttyS1    00:00:00 grep idhttpsd

netstat -anp | grep 885

Tried to start the process manual, but without success as idhttpsd.conf is missing

Anything you seen?

FYI, got a bug created for the issues reported - captive portal fails for traffic with a vlan tag.

Review Cisco Networking for a $25 gift card