Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] [WLC] OCSP issue with Mozilla Firefox

0

0
Article ID: KB26567 KB Last Updated: 10 Oct 2020Version: 2.0 Summary:
This article describes the issue of wireless clients, which use the Mozilla Firefox browser to access the web-portal SSID, being unable to connect.
Symptoms:
OCSP

The Online Certificate Status Protocol (OCSP) is an Internet protocol that is used to obtain the revocation status of an X.509 digital certificate. Earlier, the CRL (Certificate Revocation List) process was used to obtain the load on the client to verify the certificate validity. The process consists of an OCSP client and the OCSP server/Responder, which should be specified by the external CA that issued the certificates to the web server (controller or SmartPass).

As soon as the client obtains the IP address of the OCSP server, it sends a server validity request to the server (this request contains the serial number of the certificate). The OCSP server looks into the CA database that is stored with the CA and responds with a response message that states if the certificate is still valid or already revoked. Based on this response, the client moves forward with the connection process.

Issue description:

 By default, Mozilla Firefox has OCSP enabled, which leads to it checking the validity of the certificates that are presented to it by the web server on the OCSP server. Now, as the portal ACl is deployed on the Service-profile, which prevents any traffic before the authentication. So, the client is not allowed to send any traffic to the OCSP responder before the authentication, which leads to the failure of the connection.

The web-portal works fine with IE and Google Chrome. The issue is with a protocol OCSP (Online certificate status protocol) being enabled on the later releases of the Mozilla Firefox browser.  WLAN clients that use Mozilla Firefox to access the web-portal SSID were unable to connect. The following error message is generated:
Failure: connection interrupted
The connection to the server has been changed back, while the page is loaded
Solution:
You can disable this feature by clearing the required check box. However, clearing the check box on all of the clients is not possible for a network administrator. So you will have to add 2 ACEs to the portal ACL to permit the traffic to and from the OCSP responder, before the authentication.

OCSP traffic uses HTTP to communicate. So, HTTP traffic has be allowed. You can also allow the complete TCP traffic to the OCSP responder, as it responder is safe to be allowed.

If the IP address of the OCSP responder is 120.34.35.67:
set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
set security acl name portalacl permit tcp any 120.34.35.67 0.0.0.0
set security acl name portalacl permit tcp 120.34.35.67 0.0.0.0 any
set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture
commit security acl portalacl
Modification History:
2020-10-10: Archived article.
 

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search