cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1213
Views
0
Helpful
6
Replies
Highlighted
Beginner

OCSP through captive portal

Hi All,

We recently applied a 3rd party SSL certificate to our 5508 (running 7.0.220.0) to be used for guest web authentication. It's working, however Mac clients are getting invalid certificate messages. This seems to be due to Mac’s default behavior to use OCSP to validate certificates.. Disabling OCSP via the Keychain causes the cert error to go away. I’m wondering if there is any WLC setting that allows OCSP through the captive portal. Thanks for your assistance.

-Pete

6 REPLIES 6
Highlighted
Beginner

Really... No one else has run into this.

Highlighted

Pete,

I have good experience with WLC and I never heard anything about configuring WLC to support OSCP.

IMHO the issue with the client not with WLC. If you debug traffic (or capture packets) you will probably find that the Mac device is the party that stops responding (or responds with reject) at some point.

You need to look at the Mac side to be compatible with WLC not the other way.

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
Highlighted

Pete,

I might be wrong with my above post.

Check this: www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_220_0.html#wp784183

Rating useful replies is more useful than saying "Thank you"
Highlighted

Interestingly, while it has existed since 7.0.220.0 (and I've confirmed the commands exist in 7.0.235.0 and 7.2.110) there is no mention of it in the 7.2 command reference guide.

I guess they missed it.

Highlighted

Hola,

I have the same issue with OCSP... But the described command set only seam to apply to the admin interface and not to a Guest portal...

Do I have to configure a pre-authentication ACL for my Guest access or is there any simpler way to deal with this?

Highlighted

Hey Stump,

What you need is a pre-authentication acl.

Just create an acl under the security tab that allows traffic to and from the OCSP server(s) for your CA. Then apply it under L3 security for your WLAN as a pre-auth acl. Works perfect.

Thanks all for looking into this.

-Pete