Question: How do I allow client browsers to validate my controller's captive portal certificate using OCSP?
Product and Software: This article applies to all ArubaOS versions.
Aruba captive portal is a Layer 3 authentication mechanism. Captive portal presents a login page for any website the user is trying to access. Users must pass authentication before they can get full access (or configured access, depends on security policy).
To increase security, captive portal (by default) is presented over HTTPS so that user credentials cannot be sniffed. To provide HTTPS service, all Aruba controllers come with a default certificate. However, this certificate is for demo purpose only, and users are strongly recommended to get their own certificate.
This presents an interesting issue when users load their own certificate for captive portal authentication or use the Aruba default certificate:
- Starting from Firefox 3, the certificate revocation check is enabled by default.
- Internet Explorer starting with version 7 on Windows Vista (not XP) supports OCSP checking.
- All versions of Firefox support OCSP checking. Firefox 3 enables OCSP checking by default.
- Safari on Mac OS X supports OCSP checking.
- Opera starting with version 8.0 supports OCSP checking.
- Google Chrome supports OCSP checking.
So almost all popular web browsers now support certificate revocation checking.
Unfortunately, the certificate revocation check runs over HTTP. When the user is presented with the certificate and before the captive portal is loaded, the browser does the certificate revocation list (CRL) checking. Because the check runs over HTTP, it is also intercepted by captive portal. The check fails and, depending on the browser behavior, the captive portal might or might not get loaded. Sometimes it can take more than 10 seconds to load.
If your client's browsers are attempting to validate your controller's captive portal certificate via OCSP (the default behavior for Firefox now), you can allow it by altering the policies that are associated with the logon role. For example, if you use the default Aruba certificate, issue these commands to allow OCSP traffic:
(Aruba) (config) #netdestination ocsp.com
(Aruba) (config-dest) #host 208.77.208.79
(Aruba) (config-dest) #host 208.77.208.82
(Aruba) (config-dest) #host 208.116.13.251
(Aruba) (config-dest) #host 208.116.18.83
(Aruba) (config-dest) #host 64.150.190.19
(Aruba) (config-dest) #host 65.98.24.187
(Aruba) (config-dest) #host 69.175.66.203
(Aruba) (config-dest) #host 69.175.66.219
(Aruba) (config-dest) #host 174.133.236.131
(Aruba) (config-dest) #host 174.133.251.251
(Aruba) (config-dest) #host 91.209.196.169
(Aruba) (config-dest) #exit
(Aruba) (config) #ip access-list session ocsp-acl
(Aruba) (config-sess-ocsp)#user alias ocsp.com tcp 80 permit
(Aruba) (config-sess-ocsp)#exit
(Aruba) (config) #user-role guest-logon
(Aruba) (config-role) #access-list session ocsp-acl position 1
(Aruba) (config-dest) #end
(Aruba) #write memory
(Aruba) #
This ACL is used if you have the old Aruba certificate.
Note: Apply this ocsp-acl to all pre-authenticated roles that require captive portal authentication.
Just in case, you can upload the new certificate or new ArubaOS on the controller, then use this ACL:
(Aruba) (config) #netdestination comodo.com
(Aruba) (config-dest) #host 91.199.212.174
(Aruba) (config-dest) #host 91.209.196.4
(Aruba) (config-dest) #host 208.116.56.4
(Aruba) (config-dest) #host 149.5.128.4
(Aruba) (config-dest) #host 91.209.196.5
(Aruba) (config-dest) #host 205.234.175.175
(Aruba) (config-dest) #host 91.209.196.169
(Aruba) (config-dest) #host 91.199.212.169
(Aruba) (config-dest) #host 149.5.128.169
(Aruba) (config-dest) #host 199.66.201.169
(Aruba) (config-dest) #exit
(Aruba) (config) #ip access-list session ocsp-acl
(Aruba) (config-sess-ocsp)#user alias comodo.com svc-http permit
(Aruba) (config-dest) #exit
(Aruba) (config) #user-role logon
(Aruba) (config-role) #session-acl ocsp-acl position 1
(Aruba) (config-dest) #end
(Aruba) #write memory
(Aruba) #
Note: Apply this ocsp-acl to all pre-authenticated roles that require captive portal authentication.
Or you can disable the ocsp setting from the client browser settings to make it work without these policies.