Security

Reply
Occasional Contributor II
Posts: 10
Registered: ‎03-04-2013

OCSP problem or certificate problem?

We have constant problems with iOS devices trying to gain internet access via our portal. I know it's related to OCSP, in some form or fashion, because when I disable OCSP in the client web browser - SHAZAM!...I have internet access. Without disabling OCSP, the browser will often time out trying to ultimately gain internet connectivity.

 

I've opend a case with TAC and they've made changes to our system using this KB article as a guide: https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1336 but unfortunately this has not solved our problem.

 

I'm wondering if it's far more simple; I'm wondering if it's because we're using a 3rd party certificate issued by Network Solutions and we should just buy a cert from either Thawte or Verisign which, by default, are MUCH much more trusted by client browsers??? I think this is why disabling OCSP works because you're bascially telling the client browser to ignore the cert - just accept it - don't bother trying to verify whether it's legit or not.

 

Do other people have this same issue? Who do you buy your certs from?

 

Ed

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: OCSP problem or certificate problem?

I always permit OCSP checks in the user-role. This solves all the issues.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 10
Registered: ‎03-04-2013

Re: OCSP problem or certificate problem?

I'll try it! Can you tell me how to do this?

 

Ed

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: OCSP problem or certificate problem?

Here's an example for the built-in controller certificate (securelogin.arubanetworks.com) (screenshots are from AOS 6.4)

 

ip domain lookup
ip domain-name <your-domain>
!
ip name-server <your-dns-server>
!
netdestination GEOTRUST-OCSP name ocsp.geotrust.com !

 

captive-portal-whitelist.png

 

ocsp-role.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 10
Registered: ‎03-04-2013

Re: OCSP problem or certificate problem?

Thank you Tim!

 

Is there any chance you can send these screenshots to me? These are a little small to view.

 

:-)

 

Ed

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: OCSP problem or certificate problem?

They're attached to this post.

 

Tim


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 10
Registered: ‎03-04-2013

Re: OCSP problem or certificate problem?

Thank you...I'll give this a shot!

 

Ed

Search Airheads
Showing results for 
Search instead for 
Did you mean: