View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0227 - ASA Firepower 6.0 Passive and Active Authentication (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video walks you through two available methods of obtaining user identity on ASA Firepower 6.0; Passive and Active authentication. We will configure Passive authentication using Firepower User Agent to obtain User-to-IP mapping and enforce differentiated network access based on AD user group membership. We will also configure Active authentication as a backup method to obtain user identity from a non-domain computer.
 
Part 2 of this video covers Identity and Access control policy configuration
 
Topic:
  • Passive Authentication
    • Firepower User Agent
    • LDAP Integration
  • Active Authentication
    • ASA Captive Portal
  • Identity Policy
  • Access Control Policy

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

8 comments

I can not seem to get the UA to report users to the management center. Running UA 2.3, MC is 6.0.1.2. I get all green in the Active Directory Servers dialog, and in the Firepower Management Centers tab. However, "Last Real-time Report" for AD never populates, and "Last Reported" for MCs never populates. Also, no users are learned on the MC. Any help would be greatly appreciated. Also, MC and UA are on the same subnet, Windows firewall is turned off, server is 2012 R2.

Please make sure you have correct LDAP search base where user is located as well as having the user groups downloaded. Without those, user may not show up on FPMC.

Rebooted FMC and ASA. Boom, everything is working now (even my captive portal, which wasn't before).

Of course.. Good old reboot fixes it :)    Thanks for update.

What happens when user re-enable network adapter which cause ip address change without log off/on. Will user agent detect it immediately and inform FMC? I do not have lab in hand for testing but i think that can cause problem for a moment until agent discovers new mapping. What would be a solution in that case, PxGrid?

You are correct. The IP change on the host can cause the mapping on FMC to be outdated and resulting in FW incorrectly block/allow traffic. A better way to use 802.1x and pxGrid

Hello,

I am having issue with my captive portal auth and as such I purchased your video to help out, however I have still not been able to get the authentication pop-up on the browsers.

First of all I noticed from other articles that SSL decrpyt needs to be put in place using an SSL policy but that was not treated in your video, secondly I noticed your redirect page was to the inside interface on port 885 however my users are getting redirected to my sfr module on the ASA, how do I please change that.

Thanks

I have actually been able to figure out the redirection issue, apparently i should have used HTTP Basic or change the DNS mapping, the problem I am currently stuck with is getting the browsers to display the authentication prompt.

Looking forward to your response.

Poll

Vote for the Next Video Series