Reply
Highlighted
Contributor I

Lion has issue

i have fixed this OCSP issue with updated the certficate. Ever since then, i don't see any problem. However, some customers use osx 10.7 report to have this problem again. I am using network solution's certificate. Strangly i only have problem with OSX running 10.7 and Safari browser. All other O.S and browser working fine.

i know i can turn off ocsp in 10.7 but this is only short term solution. Any idea? :confused:
Highlighted
Regular Contributor II

Re: OCSP on Firefox


i have fixed this OCSP issue with updated the certficate. Ever since then, i don't see any problem. However, some customers use osx 10.7 report to have this problem again. I am using network solution's certificate. Strangly i only have problem with OSX running 10.7 and Safari browser. All other O.S and browser working fine.

i know i can turn off ocsp in 10.7 but this is only short term solution. Any idea? :confused:





I'm having the same issue.

I passed on the Ubiquity "fix" outlined in this post:

http://airheads.arubanetworks.com/vBulletin/showthread.php?t=4451&page=3

Hopefully the user can understand and follow those steps. I should know tomorrow if that fixes their problem.
Highlighted
Aruba Employee

Re: OCSP on Firefox


i have fixed this OCSP issue with updated the certficate. Ever since then, i don't see any problem. However, some customers use osx 10.7 report to have this problem again. I am using network solution's certificate. Strangly i only have problem with OSX running 10.7 and Safari browser. All other O.S and browser working fine.

i know i can turn off ocsp in 10.7 but this is only short term solution. Any idea? :confused:




Try adding a netdestination for 205.234.175.175

That is the IP address of Network Solutions CRL (crl.netsolssl.com). I had to add the CRL for Geotrust to get our 10.7 macs working.

Zach
Thanks,

Zach Jennings
Highlighted
New Contributor

Solved!!!

I have finally solved the issue in our controller.
In my case it was combination of multiple issues.

First i had to put my controller in proper domain (FQDN) .
Second reboot the controller in order to change domain.
Third create new CSR as it now will have new domain in it.
Fourth re-key the certs.
Fifth download, unzip,open both certs ( main and bundle ) and append contents of the bundle to the main as this will create complete cert tree.
Sixth upon uploading point captive portal to use newly uploaded cert.
Seven find ip used by your cert issuer to do OCSP check
Eight in a master controller installed access list for login role allowing the check to go through.

We used go daddy however i highly discourage from using them as the support is completely incompetent and basically useless.
This is my access list:

configure terminal
netdestination OCSP
host 199.7.48.72
host 199.7.50.72
host 199.7.51.72
host 199.7.52.72
host 199.7.54.72
host 199.7.55.72
host 199.7.57.72
host 199.7.58.72
host 199.7.59.72
host 199.7.71.72
host 199.16.83.72
host 174.133.236.131
host 174.133.251.251
host 208.77.208.79
host 208.77.208.82
host 208.116.13.251
host 208.116.18.83
host 64.150.188.27
host 64.150.190.19
host 65.98.24.187
host 69.175.66.203
host 69.175.66.219
host 216.191.247.203
host 72.167.239.237
exit
ip access-list session ocsp-acl
user alias OCSP svc-http permit
user alias OCSP svc-https permit
exit
user-role logon
session-acl ocsp-acl position 1
exit
exit
write memory
Highlighted
Regular Contributor II

Re: OCSP on Firefox


I'm having the same issue.

I passed on the Ubiquity "fix" outlined in this post:

http://airheads.arubanetworks.com/vBulletin/showthread.php?t=4451&page=3

Hopefully the user can understand and follow those steps. I should know tomorrow if that fixes their problem.





User reported yesterday that they were able to access the captive portal properly after performing the Ubiquity "fix" from the other thread.

I had also added a couple of other IPs to the OCSP ACL, so can't really say for certain what was the cause of the ultimate fix.

Here are hosts from my OCSP ACL:

conf t
netdestination ocsp.usertrust.com
host 208.77.208.79
host 208.77.208.82
host 208.116.13.251
host 208.116.18.83
host 64.150.190.19
host 65.98.24.187
host 69.175.66.203
host 69.175.66.219
host 174.133.236.131
host 174.133.251.251
host 91.209.196.169
host 64.150.188.27
host 199.7.48.72
host 199.7.50.72
host 199.7.51.72
host 199.7.52.72
host 199.7.54.72
host 199.7.55.72
host 199.7.57.72
host 199.7.58.72
host 199.7.59.72
host 199.7.71.72
host 199.16.83.72
exit
ip access-list session ocsp
user alias ocsp.usertrust.com tcp 80 permit log
exit
user-role guest-logon
access-list session ocsp position 1
user-role OPEN_SSID-guest-logon
access-list session ocsp position 1
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: