Security

Good day all,

 

The question: is there a better way to work around the captive portal over ssl vs. dynamic nature of ip address assignment of ocsp servers. I may have just missed a new feature or setting somewhere..

 

The "keep adding ip's to the ACL" method is very ineligant and our list for ocsp.entrust.net has topped 120 addresses since we've been keeping track. Since I don't think Akamai (the hosting provider for ocsp,entrust.net) is going to change their modus operandi any time soon, what else can be done?

 

Turning off ocsp checking, or teaching end users to skip through security warnings for self signed certs aren't generally acceptable options around here, so I'm trying to avoid that.

 

Cheers,

Todd

 

Turn on DNS lookups and then add the ocsp name to a netdestination. Then add that netdestination to the captive portal whitelist.


Thanks,
Tim

Thanks! I knew I was probably just missing something simple.

-todd

Sample config:

 

ip domain lookup
!
ip name-server <dns-server>
ip name-server <dns-server>
!
netdestination ENTRUST-OCSP
  name ocsp.entrust.net
!
aaa authentication captive-portal "GUEST-SELFREG"
   white-list "ENTRUST-OCSP"
!

 

So the issues is that users visting the captive portal are being blocked from reaching the oscp url on the internet? Is this block happening in your controller? You should be able to write a rule using a name as a destination.

Create an object in Advanced Services > Stateful Firewall > Destinations. Create a new object and under type select name. Add the hostname and then add a new rule in your guest logon firewall policy to allow this hostname?

This all assumes your controller has DNS enabled.