Security

We have constant problems with iOS devices trying to gain internet access via our portal. I know it's related to OCSP, in some form or fashion, because when I disable OCSP in the client web browser - SHAZAM!...I have internet access. Without disabling OCSP, the browser will often time out trying to ultimately gain internet connectivity.

I've opend a case with TAC and they've made changes to our system using this KB article as a guide: https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1336 but unfortunately this has not solved our problem.

I'm wondering if it's far more simple; I'm wondering if it's because we're using a 3rd party certificate issued by Network Solutions and we should just buy a cert from either Thawte or Verisign which, by default, are MUCH much more trusted by client browsers??? I think this is why disabling OCSP works because you're bascially telling the client browser to ignore the cert - just accept it - don't bother trying to verify whether it's legit or not.

Do other people have this same issue? Who do you buy your certs from?

Ed

I always permit OCSP checks in the user-role. This solves all the issues.

I'll try it! Can you tell me how to do this?

Ed

Here's an example for the built-in controller certificate (securelogin.arubanetworks.com) (screenshots are from AOS 6.4)

ip domain lookup
ip domain-name <your-domain>
!
ip name-server <your-dns-server>
!
netdestination GEOTRUST-OCSP
  name ocsp.geotrust.com
!

Thank you Tim!

Is there any chance you can send these screenshots to me? These are a little small to view.

:-)

Ed

They're attached to this post.

Tim

Thank you...I'll give this a shot!

Ed