Command of the Day

Reply
Aruba Employee

COTD: Allow OCSP Requests In Logon Role

If your client's browsers are attempting to validate your controller's captive portal certificate via OCSP (the default behavior for Firefox now) you can allow it by altering the policies associated with the logon role. For example, if you're using the default Aruba certificate you can do the following to allow OCSP traffic.

(Aruba620-US) (config) #netdestination ocsp.usertrust.com
(Aruba620-US) (config-dest) #host 208.77.208.79
(Aruba620-US) (config-dest) #host 208.77.208.82
(Aruba620-US) (config-dest) #host 208.116.13.251
(Aruba620-US) (config-dest) #host 208.116.18.83
(Aruba620-US) (config-dest) #host 64.150.190.19
(Aruba620-US) (config-dest) #host 65.98.24.187
(Aruba620-US) (config-dest) #host 69.175.66.203
(Aruba620-US) (config-dest) #host 69.175.66.219
(Aruba620-US) (config-dest) #host 174.133.236.131
(Aruba620-US) (config-dest) #host 174.133.251.251
(Aruba620-US) (config-dest) #host 91.209.196.169
(Aruba620-US) (config-dest) #exit
(Aruba620-US) (config) #ip access-list session ocsp
(Aruba620-US) (config-sess-ocsp)#user alias ocsp.usertrust.com tcp 80 permit log
(Aruba620-US) (config-sess-ocsp)#exit
(Aruba620-US) (config) #user-role guest-logon
(Aruba620-US) (config-role) #access-list session ocsp position 1
Regular Contributor II

Re: COTD: Allow OCSP Requests In Logon Role

I've applied this to my controller, however the captive portal page is still not working with Apple products using Safari and Chrome.

Any other suggestions?
Aruba Employee

COTD: Allow OCSP Requests In Logon Role

Who is your cert provider?
Thanks,

Zach Jennings
Regular Contributor II

Re: COTD: Allow OCSP Requests In Logon Role





I'm using the default cert from Aruba.

Aruba Employee

COTD: Allow OCSP Requests In Logon Role

Regular Contributor II

Re: COTD: Allow OCSP Requests In Logon Role


Is the Aruba cert expired?

See: http://support.arubanetworks.com/DesktopModules/Bring2mind/DMX/Download.aspx?TabId=77&DMXModule=512&Command=Core_Download&EntryId=5944&PortalId=0





That is a possibility - master controllers were upgraded to 5.0.3.3, but then set to boot from 5.0.2.0 until the rest of the branch controllers are upgraded.

User works in an office with a controller using 5.0.3.3, but claims wireless is not working in the office.

Turns out there were also some issues with the Apple laptop (corrupt files, firmware update available, unable to get to the keyring, etc) - this was unknown to me as our Apple "expert" is the one physically working on the laptop.

Booted my controller to 5.0.3.3 around the same time that these other issues were addressed.

Also had them go in and delete the expired Aruba certificate from the keyring, so hopefully that will force them to get the new certificate and fix the issue.
Regular Contributor II

Re: COTD: Allow OCSP Requests In Logon Role

Worked here in our main office, but today is not working in the branch office.

We have a 3600 controller here, and the branch office is using a 620. Both are running 5.0.3.3

The only difference is that I put the OCSP commands in the 3600 on Friday.

I tried to put in the OCSP commands on the 620, however it doesn't get past the first line of config:

netdestination ocsp.usertrust.com

It doesn't appear to recognize the netdestination command.



(PC1241-620) (config) #netdestination ocsp.usertrust.com
^
% Invalid input detected at '^' marker.




Any ideas or thoughts?
Aruba Employee

Re: COTD: Allow OCSP Requests In Logon Role

Is your 620 a local?

Zach
Thanks,

Zach Jennings
Regular Contributor II

Re: COTD: Allow OCSP Requests In Logon Role


Is your 620 a local?

Zach




Yes, all 620s are local controllers (150+). Two 3600s are masters.
Aruba Employee

COTD: Allow OCSP Requests In Logon Role

Right. Looks like the netdestination is pushed from the master to the local. I too cannot run that command on any of my locals running 5.0.3.1

So you shouldn't need to run it on the local. It will get pushed out from the master along with the policy.

Zach
Thanks,

Zach Jennings
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: