cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2625
Views
5
Helpful
7
Replies

Multi-factor authentication for Captive Portal on FTD

Hi,

Has anyone tried integrating Okta or any other two-factor authentication with captive portal on FTD. Couldn't find any configuration example on the same. Any help would be great.

 

Vaibhav

1 ACCEPTED SOLUTION

Accepted Solutions
nspasov
Cisco Employee

Hello Vaibhav-

This is currently not supported. I would suggest reaching out to your local Cisco team and ask them to create an enhancement request and provide you with the ID.

Sorry to bring the bad news :(

 

Thank you for rating helpful posts!

View solution in original post

7 REPLIES 7
nspasov
Cisco Employee

Hello Vaibhav-

This is currently not supported. I would suggest reaching out to your local Cisco team and ask them to create an enhancement request and provide you with the ID.

Sorry to bring the bad news :(

 

Thank you for rating helpful posts!

View solution in original post

Just for anyone else that ends up here and using something other than OKTA. (RSA and Duo are supported as of 6.3)

 

RA VPN: Two-Factor Authentication

Firepower Threat Defense now supports two-factor authentication for RA VPN users using the Cisco AnyConnect Secure Mobility Client. For the two-factor authentication process, we support:

  • First factor: any RADIUS or LDAP/AD server

  • Second factor: RSA tokens or DUO passcodes pushed to mobile

For more information on Duo multi-factor authentication (MFA) for FTD, see the Cisco Firepower Threat Defense (FTD) VPN with AnyConnect documentation on the Duo Security website.

Supported platforms: FTD

 

Documentation: 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/new_features.html

 

 

Hi all

 

Based on the fact that this solution here is already two years old, is there in the mean time a possibility that Firepower can do MFA to enhance security?

 

Thank you

Markus

Markus.albisser
MFA is supported as of code, 6.3 (RSA & DUO). The link to the documentation is in the above post. 

Hi mludwig89

 

Thanks for your feedback here. Do you also know if this applicable to the Captive Portal part of FP? What we want to do is to authenticate users with the Captive Portal and then to use their IP address and AD group membership for FP rules, for example grant access to a certain server. And we are looking that the user has not only to put his username/password into the Captive Portal, best would be also to be prompted to get an MFA request (Azure here is preferred).

 

Thanks

Markus

Hi Markus,

have you found a solution to this problem?

Hi Hrvoje

 

Unfortunately not, FP actually does not support MFA on their internal Captive Portal. For the moment we cannot go into this direction. It is open on our side in which direction we go, either if MFA is an absolute need we have to evaluate another solution of course outside Cisco (ISE-PIC does not scale for us as well and the ISE is too big for this function). As this topic is on hold for the moment we will start the evaluate process once it comes up again.

 

Thanks

Markus

Content for Community-Ad