Wireless Access

last person joined: 12 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

SSL fallback

This thread has been viewed 1 times

  • 1.  SSL fallback

    Posted Oct 08, 2013 04:08 AM

     

    Hi,

     

    We are testing the SSL fallback option with SSO. We noticed that when the connection attempts with IPSEC failed, the client turns on SSL mode. The problem is that the first time that the client connects witch SSL, in order to download its authentication profile, the connection should be manually launched. I mean, the client does not launch the connection automatically in SSL mode the first time when IPSEC mode is not allowed. Is that the expected behaviour? Shoud not this first connection turn on automatically to SSL mode without human interaction?

     

    Thanks and regards,

     

     

     

     



  • 2.  RE: SSL fallback

    EMPLOYEE
    Posted Oct 08, 2013 06:23 AM
    @SPF wrote:

     

    Hi,

     

    We are testing the SSL fallback option with SSO. We noticed that when the connection attempts with IPSEC failed, the client turns on SSL mode. The problem is that the first time that the client connects witch SSL, in order to download its authentication profile, the connection should be manually launched. I mean, the client does not launch the connection automatically in SSL mode the first time when IPSEC mode is not allowed. Is that the expected behaviour? Shoud not this first connection turn on automatically to SSL mode without human interaction?

     

    Thanks and regards,

     

     

     

     

    The first time domain preconnect is launched the client must launch the connection.  Are you combining that with SSL failback?

     



  • 3.  RE: SSL fallback

    Posted Oct 08, 2013 08:09 AM

     

    Hi,

     

    Thanks Joseph.

    We are not using pre-connect option. Moreover, preconnect option works only with IKEv2, and SSL works with IKEv1, so they are incompatible.

     

    We are using Autologin and Windows Credentials combined with SSL fallback.  We dont understand why in the first connection (download of the authentication profile) the SSL mode is not launched autmatically when IPSEC fails. 

     

    The process is the following:

    1.- We launch the VIA client and enter the user/pwd for the profile download.

    2.-The authentication profile is downloaded.

    3.- Client automatically  tries to establish the IPSEC connection. After the number of attempts defined the connection fails. The clients status is disconnected.

    4.- User has to launch the connection again manually. User authentication is granted and SSL connection is success.

     

    Is that a normal behaviour? We think than the step 4 should be transparent for the user...

     

    Thanks and regards,



  • 4.  RE: SSL fallback

    EMPLOYEE
    Posted Oct 08, 2013 08:15 AM
    @SPF wrote:

     

    Hi,

     

    Thanks Joseph.

    We are not using pre-connect option. Moreover, preconnect option works only with IKEv2, and SSL works with IKEv1, so they are incompatible.

     

    We are using Autologin and Windows Credentials combined with SSL fallback.  We dont understand why in the first connection (download of the authentication profile) the SSL mode is not launched autmatically when IPSEC fails. 

     

    The process is the following:

    1.- We launch the VIA client and enter the user/pwd for the profile download.

    2.-The authentication profile is downloaded.

    3.- Client automatically  tries to establish the IPSEC connection. After the number of attempts defined the connection fails. The clients status is disconnected.

    4.- User has to launch the connection again manually. User authentication is granted and SSL connection is success.

     

    Is that a normal behaviour? We think than the step 4 should be transparent for the user...

     

    Thanks and regards,

    Are you blocking ipsec or UDP 4500 when this happens?  Which client are you using?

     

     



  • 5.  RE: SSL fallback

    Posted Oct 09, 2013 04:46 AM

    Hi Joseph,

     

    The VIA cliente version is 2.1.0.3.

    IPSEC connections (port UDP 4500) is blocked in our firewall for testing SSL.

    The behaviour described below is always done when starting the computer or VIA client.  Should the client connect automatically with SSL, should not it?

     

    Thanks and regards,

     



  • 6.  RE: SSL fallback

    Posted Oct 15, 2013 07:33 AM

    Hi Joseph,

     

    Do you have any news about this problem?

     

    Thanks!



  • 7.  RE: SSL fallback

    EMPLOYEE
    Posted Oct 15, 2013 09:44 AM

    It should connect automatically with SSL.  Please have TAC take a look at your setup.

     



  • 8.  RE: SSL fallback

    Posted Dec 19, 2013 03:23 AM

     

    Hi,

     

    We have already upgraded to the last controller version 6.2.1.4 and VIA version 2.1.1.3.40312.

    Once we have enabled de SSL fallback option, sometimes we observed that the client has two or three IPSEC connection attemps failed and later it turns into SSL mode and establish the SSL connection automatically.   Nevertheless, sometimes the client after changing the mode to SSL, does not launch the connection automatically and the client remains disconnected. Is that behaviour normal?

     

    Another question, it is possible to limit the number of IPSEC connection attemps?

    What has to do the max authenticaction  failures  (defined in the VIA authentication profile) with the Maximum reconnection attempts (defined in the VIA connection profile)? These values  have to match, have not it?

     

    Thanks in advance,

     

    Regards,