Security

Reply
AU
New Contributor
Posts: 5
Registered: ‎03-17-2010

Any more elegant solution to SSL captive portal vs. dynamic ocsp ip addressing?

Good day all,

 

The question: is there a better way to work around the captive portal over ssl vs. dynamic nature of ip address assignment of ocsp servers. I may have just missed a new feature or setting somewhere..

 

The "keep adding ip's to the ACL" method is very ineligant and our list for ocsp.entrust.net has topped 120 addresses since we've been keeping track. Since I don't think Akamai (the hosting provider for ocsp,entrust.net) is going to change their modus operandi any time soon, what else can be done?

 

Turning off ocsp checking, or teaching end users to skip through security warnings for self signed certs aren't generally acceptable options around here, so I'm trying to avoid that.

 

Cheers,

Todd

 

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Any more elegant solution to SSL captive portal vs. dynamic ocsp ip addressing?

Turn on DNS lookups and then add the ocsp name to a netdestination. Then add that netdestination to the captive portal whitelist.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: Any more elegant solution to SSL captive portal vs. dynamic ocsp ip addressing?

So the issues is that users visting the captive portal are being blocked from reaching the oscp url on the internet? Is this block happening in your controller? You should be able to write a rule using a name as a destination.

Create an object in Advanced Services > Stateful Firewall > Destinations. Create a new object and under type select name. Add the hostname and then add a new rule in your guest logon firewall policy to allow this hostname?

This all assumes your controller has DNS enabled.

-------------------
ACDX, ACCP, CISSP, CWNA
AU
New Contributor
Posts: 5
Registered: ‎03-17-2010

Re: Any more elegant solution to SSL captive portal vs. dynamic ocsp ip addressing?

Thanks! I knew I was probably just missing something simple.

-todd

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Any more elegant solution to SSL captive portal vs. dynamic ocsp ip addressing?

Sample config:

 

ip domain lookup
!
ip name-server <dns-server>
ip name-server <dns-server>
!
netdestination ENTRUST-OCSP
  name ocsp.entrust.net
!
aaa authentication captive-portal "GUEST-SELFREG"
   white-list "ENTRUST-OCSP"
!

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: