Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive portal certificate

This thread has been viewed 11 times

  • 1.  Captive portal certificate

    Posted Nov 21, 2011 02:11 PM

    After playing around for a couple of days I understood you have to "whitelist" the OCSP server of the certification authority, otherwise any modern browser will just fail because it will try to validate the certificate online.

     

    When using tunnel vap you can do it by name, for example Comodo's certificates uses ocsp.comodoca.com and crl.comodoca.com. You can discover yours by inspecting certificate data or by using wireshark.

     

    The symthom is when you turn off the encryption (using HTTP login) the captive portal just works.

     

    When using remote AP with split tunnel configuration have found that cannot specify the network destination by name but have to use an IP address. If you do it by name the browser is always redirected to the captive portal.

     

    Are you aware of any workaround so you can whitelist by name?

     

    What would be the best practice to configure a walled garden in a remote AP split tunnel environment?

     



  • 2.  RE: Captive portal certificate

    EMPLOYEE
    Posted Nov 22, 2011 08:22 PM

    This is a problem mostly with Firefox.  I would argue that their OCSP behavior is broken - it does increase security, but presenting some kind of warning when OCSP fails would be a much better idea than just silently failing and refusing to display the page at all.  IE will also do an OCSP check but it will fail more gracefully.  I don't have experience with other browsers yet.

     

    I have a few answers for you..

     

    1. In AOS 6.1, there is a feature called "Walled Garden" for captive portal, which basically lets you enter DNS names for firewall rules.  This provides a mechanism to deal with these OCSP captive portal certificates.  Unfortunately....

     

    2. ...the feature isn't available on APs in split-tunnel mode.  It only works on the controller.  ArubaOS 6.2 will add the feature to split-tunnel mode as well.  That will be available in the first half of 2012.

     

    3. In the meantime, I would highly suggest using a captive portal server certificate that doesn't include the OCSP AIA field.  Not every CA populates this field - notably if you purchase the cheapest SSL cert from GeoTrust, there is no OCSP field.  There are probably others.  From what I have seen, the more expensive SSL certs do use this field, since it increases security and they can charge more for it.  The cheap ones often do not.

     

    Hope that helps.

     

    -Jon