Security

Hello!

Got a problem we're so far been unable to figure out.

Aruba OS 6.1.2.7

Clearpass Guest latest update

Scenario is normal redirect to Clearpass Guest for self-registration.

We set everything up as usual, and our testing using iPad and Android os devices, and one Win7 machine worked fine so we went home...

User called us up later telling us Windows XP, 7 and 8 was unable to get on. The captive portal redirect just timed out.

So we tested some more, and sure enough - our test WinXP/7 machines all timed out on CP, while iPad and Android works flawless... Redirect, register, login and out to internet they go.

How do we go about troubleshooting this thing?

The Windows 7 machines do get IP adress and we can ping the clearpass server. The timeout redirect URL is also correct.

I've tried various debug logging, but there isn't anything I can read from them that explains why this happens.

Thanks for any advice you can give.

This issue might be related to the OCSP check. You could be running into an issue where web browsers attempt to contact an OCSP server, to see if the captive portal certificate is valid and has not been revoked. For instance, Firefox 3 (on all platforms) enables OCSP checking by default.

The OCSP server for that domain is a property of the certificate that you load, and is found in the AIA field of the certificate. Browser with OSCP validation enabled will attempt to contact that server over HTTP or HTTPS to determine if the certificate has been revoked. Because captive portal rules have been configured to capture and redirect HTTP/HTTPS, the check will fail and the browser will never load the page.

A easy work around is to use the walled garden feature to allow access to the required ocsp gateway or create a ACL that allows the access. Before doing this you can check to see if OCSP is the problem by diabling it on firefox.

For Firefox, you can turn off OCSP validation in (Tools -> Options -> Advanced ->Encryption / Certificates -> Verification). If this solves the issue then OCSP is the problem.

Regards,

Sathya

Regards,

Sathya

Sathya,

that could be the case, but this is an open system with plain http in the redirects so OCSP shouldn't come into play here.

We've tried with Opera, Firefox, Chrome and IE without luck. Both Chrome and Safari on iPad works, as well as Chrome and default browser on Android.

So - the latest development in this issue..

If we turn off the windows firewall - then the redirect to Clearpass works for Windows PC's... Currently I have no idea what to do with that info tho so still stuck.

I've gone through the Amigopod Aruba integration appnote a thousand times, and checked my roles to make sure I've not done anything stupid there - and it's as it should be. Frustrated is too mild a word for my mood atm ;)

So we found and solved the issue, and it was related to the design of the installation. The setup resulted in many redirects which Windows Firewall didn't accept and just blocked the request. Thats why deviced without such a firewall accepted the request.

Controller default gateway was the mgt network.

Clearpass was connected to the mgt network.

Guest users default gateway was an external firewall.

This was not the preferred design, but in the circumstances thats what we had to work with. By moving the Clearpass server to the guest network we worked around the problem.