Reply
Highlighted
Occasional Contributor II

Re: OCSP on Firefox

Thanks for your help by the way.



#show datapath session table 192.168.254.210

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
204.117.214.10 192.168.254.210 17 53 53276 0/0 0 0 0 tunnel 365 5 FI
192.168.254.210 216.191.247.203 6 49772 80 0/0 0 0 1 tunnel 365 5 FNC
172.16.70.5 192.168.254.210 6 8080 49770 0/0 0 0 1 tunnel 365 6 FS
172.16.70.5 192.168.254.210 6 8081 49771 0/0 0 0 1 tunnel 365 6 SI
172.16.70.5 192.168.254.210 6 8081 49774 0/0 0 0 1 tunnel 365 5 SI
172.16.70.5 192.168.254.210 6 8080 49772 0/0 0 0 1 tunnel 365 5 FS
172.16.70.5 192.168.254.210 6 8081 49773 0/0 0 0 1 tunnel 365 5 SI
192.168.254.210 204.117.214.10 17 53276 53 0/0 0 0 1 tunnel 365 5 FCI
192.168.254.210 63.164.245.10 6 49773 443 0/0 0 0 0 tunnel 365 5 NCI
192.168.254.210 63.164.245.10 6 49774 443 0/0 0 0 0 tunnel 365 5 NCI
192.168.254.210 63.164.245.10 6 49771 443 0/0 0 0 0 tunnel 365 6 NCI
192.168.254.210 208.76.86.30 6 49770 80 0/0 0 0 0 tunnel 365 6 FNC

Highlighted
Guru Elite

Re: OCSP on Firefox


Thanks for your help by the way.


#show datapath session table 192.168.254.210

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
204.117.214.10 192.168.254.210 17 53 53276 0/0 0 0 0 tunnel 365 5 FI
192.168.254.210 216.191.247.203 6 49772 80 0/0 0 0 1 tunnel 365 5 FNC
172.16.70.5 192.168.254.210 6 8080 49770 0/0 0 0 1 tunnel 365 6 FS
172.16.70.5 192.168.254.210 6 8081 49771 0/0 0 0 1 tunnel 365 6 SI
172.16.70.5 192.168.254.210 6 8081 49774 0/0 0 0 1 tunnel 365 5 SI
172.16.70.5 192.168.254.210 6 8080 49772 0/0 0 0 1 tunnel 365 5 FS
172.16.70.5 192.168.254.210 6 8081 49773 0/0 0 0 1 tunnel 365 5 SI
192.168.254.210 204.117.214.10 17 53276 53 0/0 0 0 1 tunnel 365 5 FCI
192.168.254.210 63.164.245.10 6 49773 443 0/0 0 0 0 tunnel 365 5 NCI
192.168.254.210 63.164.245.10 6 49774 443 0/0 0 0 0 tunnel 365 5 NCI
192.168.254.210 63.164.245.10 6 49771 443 0/0 0 0 0 tunnel 365 6 NCI
192.168.254.210 208.76.86.30 6 49770 80 0/0 0 0 0 tunnel 365 6 FNC




Okay, let's focus on this part:
172.16.70.5     192.168.254.210 6    8080  49770  0/0     0 0   1   tunnel 365  6    FS
172.16.70.5 192.168.254.210 6 8081 49771 0/0 0 0 1 tunnel 365 6 SI
172.16.70.5 192.168.254.210 6 8081 49774 0/0 0 0 1 tunnel 365 5 SI
172.16.70.5 192.168.254.210 6 8080 49772 0/0 0 0 1 tunnel 365 5 FS
172.16.70.5 192.168.254.210 6 8081 49773 0/0 0 0 1 tunnel 365 5 SI


If your client is 192.168.254.210, it looks like it is trying to redirect to the ip address of the controller, or 172.16.70.5 on port 8081 and 8080, which is correct. Are clients permitted to go to 172.16.70.5? Does the controller have an ip address on 192.168.254.x? If so, try changing the ip cp-redirect to that ip address.. For example if the controller's ip address on that subnet is 192.168.254.1:

config t
ip cp-redirect address 192.168.254.1

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: OCSP on Firefox

I'm not sure I understand where you're heading, maybe because you're not understanding where I'm coming from.
1. I connect to our guest wireless SSID, which gives me an IP address and DNS entries.
2. Then when I try to access any Internet URL the captive portal redirects, using an HTTP302 redirect, to the fqdn that I assigned to the certificate.
3. That page I'm redirected to is encrypted HTTPS and the cert is verified (basically) by the browser, though it points to the controller somehow. The page presents me with a login ID.
4. I can then log in with assigned credentials and get access to the guest network (in this circumstance is unrestricted access to the Internet).

This works on Chrome, IE, and Firefox (with cert validation disabled).

However if certificate validation is enabled in Firefox, then in step 2.5, Firefox makes an HTTP call to some site designated by the certificate authority (I'm guessing here) to make sure the certificate is indeed legit and not revoked. In my case it's ocsp.entrust.net.
Step 2.6 the Aruba proxy answers the call to ocsp.entrust.net with an HTTP302 temp move and sends that connection to the FQDN of my cert (guestportal.sportsauthority.com). That never properly respons to the OCSP request and so the cert fails validation and Firefox never displays the page, eventually giving a connection reset error message.

Taking all that into account, I'm not sure the local IP addressing has anything to do with the OCSP pass through to the Internet. Since the redirection works for all but Firefox with validation enabled, I'm certain that connectivity between the IP address assigned to the guest computer and the controller is functioning as it should. Do you disagree?
Highlighted
Guru Elite

Re: OCSP on Firefox


I'm not sure I understand where you're heading, maybe because you're not understanding where I'm coming from.
1. I connect to our guest wireless SSID, which gives me an IP address and DNS entries.
2. Then when I try to access any Internet URL the captive portal redirects, using an HTTP302 redirect, to the fqdn that I assigned to the certificate.
3. That page I'm redirected to is encrypted HTTPS and the cert is verified (basically) by the browser, though it points to the controller somehow. The page presents me with a login ID.
4. I can then log in with assigned credentials and get access to the guest network (in this circumstance is unrestricted access to the Internet).

This works on Chrome, IE, and Firefox (with cert validation disabled).

However if certificate validation is enabled in Firefox, then in step 2.5, Firefox makes an HTTP call to some site designated by the certificate authority (I'm guessing here) to make sure the certificate is indeed legit and not revoked. In my case it's ocsp.entrust.net.
Step 2.6 the Aruba proxy answers the call to ocsp.entrust.net with an HTTP302 temp move and sends that connection to the FQDN of my cert (guestportal.sportsauthority.com). That never properly respons to the OCSP request and so the cert fails validation and Firefox never displays the page, eventually giving a connection reset error message.

Taking all that into account, I'm not sure the local IP addressing has anything to do with the OCSP pass through to the Internet. Since the redirection works for all but Firefox with validation enabled, I'm certain that connectivity between the IP address assigned to the guest computer and the controller is functioning as it should. Do you disagree?




Yes, I understand. This forum is mainly guessing with limited information.

If the http OCSP request is being redirected to the controller, you are not allowing it high up enough in the logon role, so the http OSCP request is being redirected to the controller instead. Your http request is hitting that dst-nat rule that points the the controller on port 8080, instead of being allowed. Make sure that your permit rule for OSCP is at the top of the ACLs in the "logon" role, whatever it is.

Does that make sense?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: OCSP on Firefox

Yes, I think so. I'll give it a try and update the thread.
Occasional Contributor II

Re: OCSP on Firefox

Thank you for your help. You were absolutely right - however I needed more support from an ACL perspective to set it up because I'm an Aruba n00bie. I'm going to describe what I did and maybe it will help others, but I take no credit as this was given to me by Aruba support.

#configure terminal
(config)#netdestination OCSP
(config-dest)# host 199.7.48.72
(config-dest)#host 199.7.50.72
(config-dest)#host 199.7.51.72
(config-dest)#host 199.7.52.72
(config-dest)#host 199.7.54.72
(config-dest)#host 199.7.55.72
(config-dest)#host 199.7.57.72
(config-dest)#host 199.7.58.72
(config-dest)#host 199.7.59.72
(config-dest)#host 199.7.71.72
(config-dest)#host 199.16.83.72
(config-dest)#host 174.133.236.131
(config-dest)#host 174.133.251.251
(config-dest)#host 208.77.208.79
(config-dest)#host 208.77.208.82
(config-dest)#host 208.116.13.251
(config-dest)#host 208.116.18.83
(config-dest)#host 64.150.188.27
(config-dest)#host 64.150.190.19
(config-dest)#host 65.98.24.187
(config-dest)#host 69.175.66.203
(config-dest)#host 69.175.66.219
(config-dest)#host 216.191.247.203
(config-dest)#exit
(config)#ip access-list session ocsp-acl (You can specify any name for this, here it is "ocsp-acl")
(config-sess-ocsp-acl)#user alias OCSP svc-http permit
(config-sess-ocsp-acl)#user alias OCSP svc-https permit
(config-sess-ocsp-acl)#exit
(config)# user-role Example: user-role “logon”
(config-role)# session-acl ocsp-acl position 1
(config-role)#exit
(config)#exit
#write memory

I would assume that you do not need all the OCSP hosts listed but it would help should the cert get renewed with a different CA next time.
Highlighted
Occasional Contributor II

Re: OCSP on Firefox

This has been bit of a pain and we too just added and ACL within our login role... but on top of that we just run a script that checks the ocsp dns records a few times a day and compares the diff if any and send and email, then update the acl.
Highlighted
Aruba Employee

One more IP for the default Aruba cert:

my customer was hitting a problem despite permitting the ip list from this thread in the logon role. A wireshark trace showed that the ocsp.comodoca.com address resolution was 178.255.83.1. I don't get this address when doing a dns query but the reverse dns works:

dns lookup:



> ocsp.comodoca.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8

------------
------------
Got answer (67 bytes):
HEADER:
opcode = QUERY, id = 26, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0

QUESTIONS:
ocsp.comodoca.com, type = ANY, class = IN
ANSWERS:
-> ocsp.comodoca.com
type = A, class = IN, dlen = 4
internet address = 91.209.196.169
ttl = 545 (9 mins 5 secs)
-> ocsp.comodoca.com
type = A, class = IN, dlen = 4
internet address = 199.66.201.169
ttl = 545 (9 mins 5 secs)

------------
Non-authoritative answer:
ocsp.comodoca.com
type = A, class = IN, dlen = 4
internet address = 91.209.196.169
ttl = 545 (9 mins 5 secs)
ocsp.comodoca.com
type = A, class = IN, dlen = 4
internet address = 199.66.201.169
ttl = 545 (9 mins 5 secs)




reverse DNS:


set d2
> 178.255.83.1
Server: google-public-dns-a.google.com
Address: 8.8.8.8

------------
Got answer (74 bytes):
HEADER:
opcode = QUERY, id = 24, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
1.83.255.178.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 1.83.255.178.in-addr.arpa
type = PTR, class = IN, dlen = 19
name = ocsp.comodoca.com
ttl = 8843 (2 hours 27 mins 23 secs)

------------
Name: ocsp.comodoca.com
Address: 178.255.83.1


Highlighted
Occasional Contributor II

What about proxy users ?

Hello,

I understand the issue with OCSP, but, when guest must use a explicit proxy, how can i let pass the request to OCSP server as i can see the contains of my proxy request?
I can only dst-nat all request to "myproxy" TCP 3128 to mswitch 8088 and then never let them go to OCSP server.

Do i forget something?

Thank you
Highlighted
Aruba Employee

Another Address

Found another address for thawte/geotrust/verisign CRL:

any host 199.7.71.190 any permit log

Had to do this today for our Geotrust cert to get it working with Lion 10.7.2. Even disabling OCSP and CRL on the client in Keychain Access didn't fix the problem. Only adding in this address did.

Zach
Thanks,

Zach Jennings
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: