Question: How do I add the OCSP details on the controller, because captive portal is not working when OCSP is turned on?
Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
Aruba captive portal is a Layer 3 authentication mechanism. Captive portal presents user a login page for any website the user is trying to access. Users must pass authentication before they can get full access (or the configured access level, depending on the security policy).
To increase security, captive portal (by default) is presented over HTTPS so that user credentials cannot be sniffed. To provide HTTPS service, all Aruba controllers come with a default certificate. However, this certificate is for demonstration purpose only, and users are strongly recommended to get their own certificate.
This presents an interesting issue when users load their own certificate:
- Starting with Firefox v3, the certificate revocation check is enabled by default.
- Starting with Internet Explorer v7 on Windows Vista (not XP), OCSP checking is supported.
- All versions of Firefox support OCSP checking. Firefox v3 enables OCSP checking by default.
- Safari on Mac OS X supports OCSP checking.
- Starting with Opera v8, OCSP checking is supported.
- Google Chrome supports OCSP checking.
Add the following OCSP IP address details and map it in the captiveportal logon (Initial Role).
(Aruba) (config) #netdestination ocsp.usertrust.com(Aruba620-US)
(config-dest) #host 208.77.208.79
(Aruba) (config-dest) #host 208.77.208.82
(Aruba) (config-dest) #host 208.116.13.251
(Aruba) (config-dest) #host 208.116.18.83
(Aruba) (config-dest) #host 64.150.190.19
Aruba) (config-dest) #host 65.98.24.187
Aruba) (config-dest) #host 69.175.66.203
(Aruba) (config-dest) #host 69.175.66.219
Aruba) (config-dest) #host 174.133.236.131
(Aruba) (config-dest) #host 174.133.251.251
(Aruba) (config-dest) #host 91.209.196.169
(Aruba) (config-dest) #exit
(Aruba)(config) #ip access-list session ocsp
(Aruba) (config-sess-ocsp)#user alias ocsp.usertrust.com tcp 80 permit log
(Aruba) (config-sess-ocsp)#exit
(Aruba) (config) #user-role guest-logon
(Aruba) (config-role) #access-list session ocsp position 1..