cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2060
Views
0
Helpful
6
Replies

OCSP through captive portal

AECOMpete_2
Level 1
Level 1

Hi All,

We recently applied a 3rd party SSL certificate to our 5508 (running 7.0.220.0) to be used for guest web authentication. It's working, however Mac clients are getting invalid certificate messages. This seems to be due to Mac’s default behavior to use OCSP to validate certificates.. Disabling OCSP via the Keychain causes the cert error to go away. I’m wondering if there is any WLC setting that allows OCSP through the captive portal. Thanks for your assistance.

-Pete

6 Replies 6

AECOMpete_2
Level 1
Level 1

Really... No one else has run into this.

Amjad Abdullah
VIP Alumni
VIP Alumni

Pete,

I have good experience with WLC and I never heard anything about configuring WLC to support OSCP.

IMHO the issue with the client not with WLC. If you debug traffic (or capture packets) you will probably find that the Mac device is the party that stops responding (or responds with reject) at some point.

You need to look at the Mac side to be compatible with WLC not the other way.

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Amjad Abdullah
VIP Alumni
VIP Alumni

Pete,

I might be wrong with my above post.

Check this: www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_220_0.html#wp784183

Rating useful replies is more useful than saying "Thank you"

Interestingly, while it has existed since 7.0.220.0 (and I've confirmed the commands exist in 7.0.235.0 and 7.2.110) there is no mention of it in the 7.2 command reference guide.

I guess they missed it.

Hola,

I have the same issue with OCSP... But the described command set only seam to apply to the admin interface and not to a Guest portal...

Do I have to configure a pre-authentication ACL for my Guest access or is there any simpler way to deal with this?

Hey Stump,

What you need is a pre-authentication acl.

Just create an acl under the security tab that allows traffic to and from the OCSP server(s) for your CA. Then apply it under L3 security for your WLAN as a pre-auth acl. Works perfect.

Thanks all for looking into this.

-Pete

Review Cisco Networking for a $25 gift card