03-09-2015 07:40 AM
Good day all,
The question: is there a better way to work around the captive portal over ssl vs. dynamic nature of ip address assignment of ocsp servers. I may have just missed a new feature or setting somewhere..
The "keep adding ip's to the ACL" method is very ineligant and our list for ocsp.entrust.net has topped 120 addresses since we've been keeping track. Since I don't think Akamai (the hosting provider for ocsp,entrust.net) is going to change their modus operandi any time soon, what else can be done?
Turning off ocsp checking, or teaching end users to skip through security warnings for self signed certs aren't generally acceptable options around here, so I'm trying to avoid that.
03-09-2015 07:43 AM
03-09-2015 07:46 AM
So the issues is that users visting the captive portal are being blocked from reaching the oscp url on the internet? Is this block happening in your controller? You should be able to write a rule using a name as a destination.
Create an object in Advanced Services > Stateful Firewall > Destinations. Create a new object and under type select name. Add the hostname and then add a new rule in your guest logon firewall policy to allow this hostname?
This all assumes your controller has DNS enabled.
ACDX, ACCP, CISSP, CWNA
03-09-2015 08:34 AM
ip domain lookup ! ip name-server <dns-server> ip name-server <dns-server> ! netdestination ENTRUST-OCSP name ocsp.entrust.net ! aaa authentication captive-portal "GUEST-SELFREG" white-list "ENTRUST-OCSP" !