ArubaOS and Controllers

Reply
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

CP login page does not load with new certificate

Up until now I have been using the default captive portal certificate "securelogin.arubanetworks.com" for my captive portal. I have both wireless and wired guest users using my captive portal and everything has been working great but in keeping with best practice we have purchased a new certificate.

When I configure the controller to use the new server cert as the captive portal certificate, the login web page is not displayed. What have I missed?
Guru Elite
Posts: 20,365
Registered: ‎03-29-2007

Firefox?

You could be running into an issue where browsers like firefox attempt to contact the OSCP server , first to see if your imported certificate is valid and has not been revoked. Usually the OSCP server for that domain is a property of the certificate that you load. Firefox will attempt to contact that server over http or https to determine if the certificate has been revoked.

If you turn off OSCP in Firefox (Tools -> Options -> Advanced ->Encryption / Certificates -> Verification) and it works, that means, that is your issue. If you cannot do this for all your clients, you can open up traffic to that OSCP server in your login role like this:

netdestination goddy
host 72.167.18.237
host 72.167.239.239
host 72.167.239.238
host 72.167.239.237
host 72.167.239.236
!
ip access-list session goddy-crl
user alias goddy svc-http permit
user alias goddy svc-https permit
!
user-role guest-logon
captive-portal "guest-cp_prof"
session-acl logon-control
session-acl goddy-crl
session-acl FSU_Web_Servers
session-acl captiveportal
!


Of course, you would use the ip addresses from the DNS name in the OSCP portion of the certificate. http://www.networkworld.com/details/7174.html


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

OSCP was the problem Thanks.


You could be running into an issue where browsers like firefox attempt to contact the OSCP server , first to see if your imported certificate is valid and has not been revoked. Usually the OSCP server for that domain is a property of the certificate that you load. Firefox will attempt to contact that server over http or https to determine if the certificate has been revoked.

If you turn off OSCP in Firefox (Tools -> Options -> Advanced ->Encryption / Certificates -> Verification) and it works, that means, that is your issue. If you cannot do this for all your clients, you can open up traffic to that OSCP server in your login role like this:

netdestination goddy
host 72.167.18.237
host 72.167.239.239
host 72.167.239.238
host 72.167.239.237
host 72.167.239.236
!
ip access-list session goddy-crl
user alias goddy svc-http permit
user alias goddy svc-https permit
!
user-role guest-logon
captive-portal "guest-cp_prof"
session-acl logon-control
session-acl goddy-crl
session-acl FSU_Web_Servers
session-acl captiveportal
!


Of course, you would use the ip addresses from the DNS name in the OSCP portion of the certificate. http://www.networkworld.com/details/7174.html




That was it! Thanks for the help.
Search Airheads
Showing results for 
Search instead for 
Did you mean: