Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1779
Views
0
Helpful
6
Replies

OCSP through captive portal

AECOMpete_2
Level 1
Level 1

‎07-24-2012 08:29 AM - edited ‎07-03-2021 10:27 PM

Hi All,

We recently applied a 3rd party SSL certificate to our 5508 (running 7.0.220.0) to be used for guest web authentication. It's working, however Mac clients are getting invalid certificate messages. This seems to be due to Mac’s default behavior to use OCSP to validate certificates.. Disabling OCSP via the Keychain causes the cert error to go away. I’m wondering if there is any WLC setting that allows OCSP through the captive portal. Thanks for your assistance.

-Pete

Labels:
0 Helpful
6 Replies 6

AECOMpete_2
Level 1
Level 1

‎07-26-2012 08:17 AM

Really... No one else has run into this.

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni

‎07-27-2012 07:43 AM

Pete,

I have good experience with WLC and I never heard anything about configuring WLC to support OSCP.

IMHO the issue with the client not with WLC. If you debug traffic (or capture packets) you will probably find that the Mac device is the party that stops responding (or responds with reject) at some point.

You need to look at the Mac side to be compatible with WLC not the other way.

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni

‎07-27-2012 07:51 AM

Pete,

I might be wrong with my above post.

Check this: www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_220_0.html#wp784183

Rating useful replies is more useful than saying "Thank you"
0 Helpful

M. Wisely
Level 4
Level 4
In response to Amjad Abdullah

‎07-30-2012 09:59 AM

Interestingly, while it has existed since 7.0.220.0 (and I've confirmed the commands exist in 7.0.235.0 and 7.2.110) there is no mention of it in the 7.2 command reference guide.

I guess they missed it.

0 Helpful

beatstump
Level 1
Level 1
In response to M. Wisely

‎08-08-2012 09:10 AM

Hola,

I have the same issue with OCSP... But the described command set only seam to apply to the admin interface and not to a Guest portal...

Do I have to configure a pre-authentication ACL for my Guest access or is there any simpler way to deal with this?

0 Helpful

AECOMpete_2
Level 1
Level 1
In response to beatstump

‎08-10-2012 06:30 AM

Hey Stump,

What you need is a pre-authentication acl.

Just create an acl under the security tab that allows traffic to and from the OCSP server(s) for your CA. Then apply it under L3 security for your WLAN as a pre-auth acl. Works perfect.

Thanks all for looking into this.

-Pete

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card