11-21-2011 11:11 AM
After playing around for a couple of days I understood you have to "whitelist" the OCSP server of the certification authority, otherwise any modern browser will just fail because it will try to validate the certificate online.
When using tunnel vap you can do it by name, for example Comodo's certificates uses ocsp.comodoca.com and crl.comodoca.com. You can discover yours by inspecting certificate data or by using wireshark.
The symthom is when you turn off the encryption (using HTTP login) the captive portal just works.
When using remote AP with split tunnel configuration have found that cannot specify the network destination by name but have to use an IP address. If you do it by name the browser is always redirected to the captive portal.
Are you aware of any workaround so you can whitelist by name?
What would be the best practice to configure a walled garden in a remote AP split tunnel environment?
11-22-2011 05:21 PM
This is a problem mostly with Firefox. I would argue that their OCSP behavior is broken - it does increase security, but presenting some kind of warning when OCSP fails would be a much better idea than just silently failing and refusing to display the page at all. IE will also do an OCSP check but it will fail more gracefully. I don't have experience with other browsers yet.
I have a few answers for you..
1. In AOS 6.1, there is a feature called "Walled Garden" for captive portal, which basically lets you enter DNS names for firewall rules. This provides a mechanism to deal with these OCSP captive portal certificates. Unfortunately....
2. ...the feature isn't available on APs in split-tunnel mode. It only works on the controller. ArubaOS 6.2 will add the feature to split-tunnel mode as well. That will be available in the first half of 2012.
3. In the meantime, I would highly suggest using a captive portal server certificate that doesn't include the OCSP AIA field. Not every CA populates this field - notably if you purchase the cheapest SSL cert from GeoTrust, there is no OCSP field. There are probably others. From what I have seen, the more expensive SSL certs do use this field, since it increases security and they can charge more for it. The cheap ones often do not.
Hope that helps.
Jon Green, ACMX, CISSP