OCSP through captive portal

Similar Messages

• WLAN connection: authentication through captive po...

  Access to some Wifi hotspots requires an authentication through captive portal (ID and password must be entered on a special web page). Everything works on my E65 except that I did not find the method to avoid to retype my ID and password every time I try to connect. Any idea ?

  Hello,
  I've a e61i and I experience a similar problem. My phone work very well on WiFi network with no encryption as well as 64-bit wep.
  At home I've 2 wireless routers, both encrypted at 128 bits, one with WEP and the other with WPA. On both of them I can correctly obtain an IP thru DHCP, but the traffic do not go thru.
  By using IfInfo I think I discovered the reason of the problem (unless IfInfo is not working properly...) and it seems a bug related to the netmask, broadcast and gateway settings. The router is 192.168.15.1 and this is what I get:
  1) DHCP case -- I get two IP adresses: the 169.254.x.x and the one assigned to the router. DNS is also set properly, but both gateway, broadcast and netmask are set to 0.0.0.0 for both IPs.
  IP Addr: 169.254.162.106
  Netmask: 0.0.0.0
  Broadcast: 0.0.0.0
  Gateway: 0.0.0.0
  DNS1: 192.168.15.1
  IP Addr: 192.168.15.100
  Netmask: 0.0.0.0
  Broadcast: 0.0.0.0
  Gateway: 0.0.0.0
  DNS1: 192.168.15.1
  2) Static IP 192.168.15.64, netmask set to 255.255.255.0 and gateway and DNS set to 192.168.15.1. The 169.254.x.x disappears and I get only one IP which is set to:
  IP Addr: 192.168.15.64
  Netmask: 0.0.0.0
  Broadcast:192.168.15.255
  Gateway: 192.168.15.1
  DNS1: 192.168.15.1
  So in conclusion, it seems that with 128bit encryption, in the DHCP case gateway, broadcast and netmask are not assigned correctly! While in the Static IP case the netmask is still not assigned correctly!!!
  Hope this can help...
  --AP

• Anyconnect 3.1 Captive Portal False Alert Stops Users Connecting.

  Hi All,
  I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting.
  This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below.
  "The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
  Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail.
  Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
  Any advice would be appreciated, just let me know what extra details to post if needed.
  Many thanks,
  Josh Campbell

  Hi Joshua,
  The below information could be located at
  www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html
  False Captive Portal Detection
  AnyConnect can falsely assume it is in a captive portal in the following situations.
  •If AnyConnect attempts to contact an ASA with a certificate containing an incorrect server name (CN), then the AnyConnect client will think it is in a "captive portal" environment.
  To prevent this, make sure the ASA certificate is properly configured. The CN value in the certificate must match the name of the ASA server in the VPN client profile.
  •If there is another device on the network before the ASA, and that device responds to the client's attempt to contact an ASA by blocking HTTPS access to the ASA, then the AnyConnect client will think it is in a "captive portal" environment. This situation can occur when a user is on an internal network, and connects through a firewall to connect to the ASA.
  If you need to restrict access to the ASA from inside the corporation, configure your firewall such that HTTP and HTTPS traffic  to the ASA's address does not return an HTTP status. HTTP/HTTPS access to the ASA should either be allowed or completely  blocked (also known as black-holed) to ensure that HTTP/HTTPS requests sent
  There is also a bug filed for this. Just for your reference,
  CSCud17825 - Anyconnect captive portal
  Regards,
  Srikanth K S.

• Allowing Airwatch MDM access to the Captive-Portal guest users in pre-auth role for android and BB?

  Requirement:
  How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?
  What is Airwatch MDM?
  Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.
  Solution:
  Why we need to allow access to Airwatch MDM?
  The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.
  Configuration:
  Below is the configuration
  Configuration steps:
  1. Create the following netdestinations
  netdestination Airwatch
    name *.awagent.com
    name *.awmdm.com
    name air-watch.com
  netdestination Google-Play
    name android.clients.google.com
    name .ggpht.com
    name gstatic.com
    name accounts.google.com
    name clients1.google.com
    name clients2.google.com
    name clients3.google.com
    name clients4.google.com
    name i.ytimg.com
    name google-analytics.com
    name .1e100.net
    name android.l.google.com
    name mtalk.google.com
    name clients.l.google.com
    name googleapis.com
    name gvt1.com
  netdestination BlackBerry
    name *.blackberry.com
  2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.
  ip access-list session Airwatch_Access
    any   alias Airwatch svc-http  permit
    any   alias Airwatch svc-https  permit
  ip access-list session Google-Play-Store
                 any   alias Google-Play any permit
  ip access-list session BlackBerry-Access
                 any   alias BlackBerry any permit
  3. Now map the session ACLs to captive-portal pre-authentication Role as follows
  user-role Guest-Pre-Auth-Role
   access-list session Airwatch_Access
   access-list session Google-Play-Store
   access-list session BlackBerry-Access
   access-list session logon-control
   access-list session captiveportal
  4. Now whitelist the list of domain names in the Captive Portal profle
  aaa authentication captive-portal Airwatch-Captive-Portal-Profile
  white-list Airwatch
  white-list Google-Play                                                                                ------------>Netdestinations where you defined the Domains.
  white-list BlackBerry
  Verification
  Now the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.

  Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris

• ISE Wired captive portal

  I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect
  For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please advice

  In the same document you have
  Wired NAD Interaction for Central WebAuth
  If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.
  The Central WebAuth triggered by a MAB failure flow follows these steps:
  1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.
  2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.
  3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.
  4. The client machine connects and the NAD initiates a MAB request.
  5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.
  The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:
  https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.
  6. The client initiates an HTTP or HTTPS request to any URL using the client browser.
  7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.
  8. The gateway URL value with action CWA redirects to the guest portal login page.
  9. The client enters the username and password and submits the login form.
  10. The guest action server authenticates the user credentials provided.
  11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.
  12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)
  Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.
  13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.
  14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)
  15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.
  16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access.

• Captive Portal with Wireless Mobility

  Has anyone successfully configured a captive portal/proxy while maintaining their WDS infrastructure?
  We're wanting to make users accept a user agreement before being able to progress to the outside world. We're currently using m0n0wall to accomplish this on our wired network, but with the interesting way that the wireless traffic actually enters the network through the tunnel/loopback int its creating some confusion for me.
  Can it be as simple as changing the tunnel source to a VLAN instead of a loopback? Anyone have any insight?

  The Captive Portal is used to control what happens when an application request, layers 5-7, is redirected to Layer 3-4 (i.e. when the destination IP address or port number of a request from an application is changed, and the application layers in the protocol request still have the previous IP address or domain and port number encode in them). This is analogous to the Network Address Translation (NAT) function performed by a router.
  http://www.cisco.com/en/US/tech/tk722/tk721/technologies_white_paper09186a00801a0c62.shtml

• Aironet 1142 Support captive portal?

  Hi, Does anyone know if Aironet 1142 AP has captive portal?
  Thanks

  I use mine at work, and when I install a modem for a customer, I use my Mac all the time and go through our Walled Garden and Captive Portal system all the time and have no issues having Safari redirect to the page needed to release the modem...I work for the local cable company and it works for me all day long, both the walled garden page which is where I go to put the modem on the account, and the captive portal which is where the user name and password are setup before the modem is released to go wherever on the Internet.

• WRT54G Bridges, VPN's, Captive Portals, etc. (Advanced FAQ)

  These questions are only in relation to the above Wireless Router (v6, FW-v1.02 [2010]) :
  1. What is an Ethernet Bridge (the basic authoritative definition), and besides gaming, what are they generally used for in a business setting?
  2. What are VPN settings in a Router used for, and can a VPN be configured on a remote PC without them?
  3.  Utilizing bridging, etc., can I utilize my WRT54G as a makeshift Range Expander as long as the primary router doesnt have WEP key requirements?  The current WIFI doesnt reach my PC, so I thought I could configure my router midway in hopes of extending the other routers' signal, via some kind of bridging if necessary.  Naturally, there would only be a wireless connection between routers.
  4.  How can I setup a simple Captive Portal on this router?
  If more expedient, provide any definitive links to answer these questions, preferrably at Cisco sites.  Thanks.

  Re 1. Where did you find this? The WRT is switch not a bridge. Technically, the switch does the same as the bridge, only better. It connects two or more ethernet segments and joins them into a single ethernet network.
  Re 2. The VPN settings are used when you have VPN connections running through the router (i.e. not as endpoint). If it's possible to connect without them depends on the kind of VPN you are trying to establish. Some will work and some won't unless you have enabled the corresponding passthrough.
  3. ethernet bridging and wireless bridging are completely different things. The WRT won't connect wirelessly to other routers.
  4. You can't.

• Automatic disconnection from AP when timed out (session or authentication) from captive portal

  Captive portal implementation permits/blocks web traffic. When a user is timed out (authentication & session) it still occupies a channel as seen in the clients list. How can we disconnect a host that is timed out?

  There is NO Failed Authenticated list.These are the only available tabs in the lapac1200Captive Portal Global Configuration  Portal Profiles  Local User  Local Group  Web Customization  Profile Association  Client Information

• ISE captive portal timeouts and radio policy

  Hello!
  I have two questions.
  First, have some of you guys worked with the captive portal in ISE (guestportal)?
  I have set up a new wireless network for a customer and they want to use the guest portal for som users.
  The problem that I am expering is that on a particular site with many small buildings user complains that they have to reauthenticate using the webportal when moving between the buildnings.
  I have tired extending the idle user timeout on that particular wlan in the cisco 5508, but I still having this problem.
  I would actually like if the user login via the guestportal at the beginning of the work day and after say 4-5 hours they have to reautencitcate.
  And if they loose network connectivity (moving between buildings, iphone/andriod shutting down wifi adapter, etc) they shuld be fine connecting again because they have aldready authecnticated once during the last 4-5 hours.
  Is this possible via the ISE?
  My second question deals with 2.4 and 5 Ghz band.
  I use AP groups on each of my distribution areas. All groups have the same SSID but diffrenet egress interfaces (interfaces groups).
  And in some of these I want to save the 5 GHz band for voice over wlan and in others i would like to use both bands.
  Do I have to create diffrent wlan profiles with diffrent radio policys and same SSID or could I do this in the AP group settings using RF-profiles?
  Hope for some help!
  //Simon

  Your first answer  is there is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
  2nd : You can use the AP group settings using RF-profiles to achieve this task.1st: There is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
  your seconde answer : You can use the AP group settings using RF-profiles to achieve this task.

• Laptop no longer loads Captive Portal following Windows 8.1 upgrade

  Since upgrading to Win 8.1 from Win 8, I no longer see a captive portal displayed whenever I try to connect to a wireless network that requires additional login information.  Some WiFi networks require you to click their Terms and Conditions box
  or add some additional logon information and they splash up a Captive Portal screen to allow you to enter the information.  Without entering this information I receive an IP address for my wireless adapter ok, but end up with a "Limited Internet"
  connection.  Which means I cannot connect to the Internet at all.  This exact same problem has happened to two colleagues of mine that recently upgraded to Windows 8.1 on their laptops.  Any help will be much appreciated.

  Hello Grantlsmith,
  Do you receive any error message when you connect to a wireless network that requires additional login information?
  Or you just connect to the Wi-Fi with limited Internet, and nothing pop up?
  Please take the following steps for troubleshooting:
  1. Please provide the result of the command ipconfig –all
  2. Ping the IP address of URL and check if we can contact.
  3. Type in the URL that can use in Windows 8 and check if we can open the Captive Portal
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• Workflow for Vendor Creation through a portal.

  Hi All Workflow Experts,
                                       I have a scenario here.In my project  vendor is created through a portal.On submit button from portal the workflow is to be triggered.I have to design the workflow process.So can you please guide me through what all should i consider while i design this workflow?
  This is my first workflow assignment so if you explain in detail it will be a great help.
  I will just pen down what all scenarios i can think of:
  1.Start workflow after vendor creation or modification.
  2.Check whether approver are maintained in Org structure through  standard FMu2019s.
  3.Check If approvers are maintained ?
  4.If yes,approve or reject the vendor.
  5.If no,get the agents from the custom table who can take an action on this.
  This is what i can think of.
  Please guide me.
  Thanks in Advance,
  Saket.

  The corresponding BO related with the vendor creation or changing is LFA1 but this Business object doeanot have any events that are related to Create and Change , so try to create a ZLFA1 and add you own events or make use of delegation concept where you will create a delegation for LFA1.
  For your first isssue
  Start workflow after vendor creation or modification
  EXIT_SAPMF02K_001 Vendors: User Exit for Checks prior to Saving is the user exit where in you can call the workflow when ever you change or create , because this user exit will trigger when ever you try to save the vendor. so i think you can make use of this user exit
  For your second Issue
  Check whether approver are maintained in Org structure through standard FMu2019s.
  Make use of SWI_GET_USERS_OF_ORG_UNIT this fucntion mdoule to get the user of the ORG unit
  or you can create a Rule(for determining the agents dynamically) to find the approvers.

• Buy a new hp deskjet ink advantage 3545e all-in-one printer through online portal. how to get the

  Regarding a new hp deskjet ink advantage 3545e all-in-one printer through online portal.
  how to get the free cartridge . do we need to register somewhere to get it. Any specific condition to get it.

  Hi @kandas1,
  I have brought your issue to the attention of an appropriate team within HP. They will likely request information from you in order to look up your case details or product serial number. Please look for a private message from an identified HP contact. Additionally, keep in mind not to publicly post serial numbers and case details.
  If you are unfamiliar with how the Forum's private message capability works, this post has instructions.
  Please click the Thumbs up icon below to thank me for responding.
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Please click “Accept as Solution” if you feel my post solved your issue, it will help others find the solution.
  Sunshyn2005 - I work on behalf of HP

• Infoblox Captive Portal will not pass the "Accept" screen on Iphone or ipad 6.1.2

  I am learning there is an issue with 6.1.2 with Captive Portal services where the latest IOS release will not progress beyond the terms and conditions. The next step in the authentricatoin process is certificate check so it would appear Apple has altered the process?
  We have a lot of users complaining now but only 6.1.2 is affected. I have checked previous version on other devices and there is no issue.
  Thanks
  Ken

  Anyone? C'mom, I know some of you techie type folks know how to fix this!

• List of Oracle Reports run through Oracle Portal.

  Hi,
  It's possible that I am posting my message to a wrong Forum. If that's so, please let me know (and the correct forum too).
  I have several Oracle Reports that are run through Oracle Portal (when user clicks a link for a report). I want to get a list of all such Oracle Reports in one go as I need to modify all of them. At the moment, to get the actual report name that I need to modify I am following the steps below.
  When I am at 'Oracle Reports Security' page (in the Portal) where there is a section 'Reports Definition File Access',
  1. I click list icon without entering any value in the box. It shows me a list of all report definitions.
  2. After selecting a report definition, and clicking Edit, it shows me 'Manage Component' page. There are several links available. One of them is 'Edit'.
  3. I click 'Edit' and it shows me the actual 'Oracle Reports File Name'. This is the file I need to work on.
  But instead of following the above steps for each of the several reports I need to modify, is there any way, say by running a SQL query, to find out the actual Oracle Reports file names?
  The 'Manage Component' page shows 'Run Link' and links for 'PL/SQL source'. I tried to search for the schema name and package name in the database (by connecting as SYS user). However, I found neither the Schema not the Package.
  Hope my question is clear. In brief, I want to get a list of Oracle Reports file names that are run through Oracle Portal.
  Any questions, please let me know.
  Thanks and regards,
  Manoj.

  Jim,
  Did you ever try to add Reports portlet as an item, so that user can click on each item to customize/schedule the report? You can have 50 of them, if that is what you really need.
  Any reason why you want to create custom user interface, instead of using this vehicle that Portal provided by default?
  You mentioned "The report Portlet ... does not allow customization." Actually, it does. You can do it by clicking on the Customize link of the Reports portlet.
  Hope this helps,
  -Jeff