Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

OCSP through captive portal

Hi All,

We recently applied a 3rd party SSL certificate to our 5508 (running 7.0.220.0) to be used for guest web authentication. It's working, however Mac clients are getting invalid certificate messages. This seems to be due to Mac’s default behavior to use OCSP to validate certificates.. Disabling OCSP via the Keychain causes the cert error to go away. I’m wondering if there is any WLC setting that allows OCSP through the captive portal. Thanks for your assistance.

-Pete

Everyone's tags (5)
6 REPLIES
New Member

OCSP through captive portal

Really... No one else has run into this.

Re: OCSP through captive portal

Pete,

I have good experience with WLC and I never heard anything about configuring WLC to support OSCP.

IMHO the issue with the client not with WLC. If you debug traffic (or capture packets) you will probably find that the Mac device is the party that stops responding (or responds with reject) at some point.

You need to look at the Mac side to be compatible with WLC not the other way.

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Re: OCSP through captive portal

Pete,

I might be wrong with my above post.

Check this: www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_220_0.html#wp784183

Rating useful replies is more useful than saying "Thank you"
Bronze

OCSP through captive portal

Interestingly, while it has existed since 7.0.220.0 (and I've confirmed the commands exist in 7.0.235.0 and 7.2.110) there is no mention of it in the 7.2 command reference guide.

I guess they missed it.

New Member

OCSP through captive portal

Hola,

I have the same issue with OCSP... But the described command set only seam to apply to the admin interface and not to a Guest portal...

Do I have to configure a pre-authentication ACL for my Guest access or is there any simpler way to deal with this?

New Member

OCSP through captive portal

Hey Stump,

What you need is a pre-authentication acl.

Just create an acl under the security tab that allows traffic to and from the OCSP server(s) for your CA. Then apply it under L3 security for your WLAN as a pre-auth acl. Works perfect.

Thanks all for looking into this.

-Pete

851
Views
0
Helpful
6
Replies