I have read through multiple threads on the subject of OCSP but am not able to resolve the issue I am having.
Symptoms: on my captive portal SSID, apple laptops never get redirected, safari/chrome just sit forever loading/not doing anything.
On windows i can create a problem with firefox by asking it to vaklidate the cert and treat as it invalid if it fails.
Chrome on windows works fine.
Firefox displays an error message:
The OCSP server experienced an internal error.
(Error code: sec_error_ocsp_server_error)
from my not yet authenticated windows laptop and apple laptops I can ping the ocsp/crl servers:
crl.globalsign.com
ocsp2.globalsign.com
My masters and locals running 6.2.1.2 are configured with a whitelist on the captive portal to allow the connection to the servers and are configured for dns lookups. The master IP addresses that the captive portal runs on are not internet accessible.
Looknig at the CLI
show datapath session table <myIP>
show datapath session ipv6 table <myIP>
The apple laptop when pinging the CRL server shows the CRL in the table (ipv4)
The apple laptop when opening any webpage does not show the CRL ip address in the table (ipv4 or ipv6), the link local of the apple laptop shows in the user table but it's global ipv6 address does not.
the windows laptop when pinging the crl shows up in the ipv6 CRL table
the windows laptop also shows up in the ipv6 CRL table when trying to open the captive portal
netdestination globalsign_crl_ocsp
name ocsp2.globalsign.com
name crl.globalsign.com
!
aaa authentication captive-portal guest
white-list globalsign_crl_ocsp
!
ip domain-name <mydomain>
ip domain lookup
ip name-server <ip>
ip name-server <ip>
ip name-server <ip>
Windows laptop
=================
<winlap-edited>:701:572:37cc:9c97:91de 2400:cb00:2048:1::6ca2:e807 6 56195 80 0 0 0 1 tunnel 15 5 5 666 FNC
<winlap-edited>:701:572:37cc:9c97:91de 2400:cb00:2048:1::6ca2:e807 6 56193 80 0 0 0 1 tunnel 15 5 5 666 FNC
<winlap-edited>:701:572:37cc:9c97:91de 2400:cb00:2048:1::6ca2:e807 6 56191 80 0 0 0 1 tunnel 15 5 5 666 FNC
<winlap-edited>:701:572:37cc:9c97:91de 2400:cb00:2048:1::6ca2:e807 6 56187 80 0 0 0 1 tunnel 15 f 0 0 FNC
<winlap-edited>:701:572:37cc:9c97:91de 2400:cb00:2048:1::6ca2:e807 6 56186 80 0 0 0 1 tunnel 15 f 0 0 FNC
<winlap-edited>:701:572:37cc:9c97:91de 2400:cb00:2048:1::6ca2:e807 6 56184 80 0 0 0 1 tunnel 15 f 0 0 FNC
<winlap-edited>:701:572:37cc:9c97:91de 2400:cb00:2048:1::6ca2:e807 6 56182 80 0 0 0 1 tunnel 15 f 0 0 FNC
<controller>:8eca:402::4 <winlap-edited>:701:572:37cc:9c97:91de 6 8081 56194 0 0 0 0 local 3 1 323 FDC
<controller>:8eca:402::4 <winlap-edited>:701:572:37cc:9c97:91de 6 8081 56201 0 0 0 0 tunnel 15 1 6 2081 S
<controller>:8eca:402::4 <winlap-edited>:701:572:37cc:9c97:91de 6 8081 56192 0 0 0 0 local 2 0 0 FDYC
================
Does anyone have a suggestion on what I can look at?