We recently applied a 3rd party SSL certificate to our 5508 (running 22.214.171.124) to be used for guest web authentication. It's working, however Mac clients are getting invalid certificate messages. This seems to be due to Mac’s default behavior to use OCSP to validate certificates.. Disabling OCSP via the Keychain causes the cert error to go away. I’m wondering if there is any WLC setting that allows OCSP through the captive portal. Thanks for your assistance.
I have good experience with WLC and I never heard anything about configuring WLC to support OSCP.
IMHO the issue with the client not with WLC. If you debug traffic (or capture packets) you will probably find that the Mac device is the party that stops responding (or responds with reject) at some point.
You need to look at the Mac side to be compatible with WLC not the other way.
Sent from Cisco Technical Support iPad App
I might be wrong with my above post.
Check this: www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_220_0.html#wp784183
Interestingly, while it has existed since 126.96.36.199 (and I've confirmed the commands exist in 188.8.131.52 and 7.2.110) there is no mention of it in the 7.2 command reference guide.
I guess they missed it.
I have the same issue with OCSP... But the described command set only seam to apply to the admin interface and not to a Guest portal...
Do I have to configure a pre-authentication ACL for my Guest access or is there any simpler way to deal with this?
What you need is a pre-authentication acl.
Just create an acl under the security tab that allows traffic to and from the OCSP server(s) for your CA. Then apply it under L3 security for your WLAN as a pre-auth acl. Works perfect.
Thanks all for looking into this.