VIA configuration requires that you first configure VPN settings and then configure VIA settings. See Virtual Private Networks for information on configuring VPN settings on your controller.
The following ports must be enabled before configuring the VIA controller.
| controller. It is mandatory that you enable port 443 on your network to allow VIA to perform these checks. | —During the initializing phase, VIA uses HTTPS connections to perform trusted network and captive portal checks against the
| —Required for IPSec transport |
| —Required for VIA 1.0 on Mac OS |
VIA 1.x and VIA 2.x support different authentication mechanisms:
Authentication is performed using IKEv1 only. Phase 0 authentication, which authenticates the VPN client, can be performed using either a pre-shared key or an X.509 certificate (the X.509 certificate must appear in the operating system’s “user” certificate store.). If certificates are used for IKE phase 0 authentication, it must be followed by username/password authentication.
The second authentication phase is performed using xAuth, which requires a username and password. The username and password is authenticated against the controller’s internal database, a RADIUS server, or an LDAP server. If a RADIUS server is used, it must support the PAP protocol.
Support for two-factor authentication such as token cards is provided in VIA 1.x. Token product like RSA tokens and other token cards are also supported. This includes support for new-pin and next-pin.
In addition to the authentication methods supported by VIA 1.x, VIA 2.x adds support for IKEv2. IKEv2 is an updated version that is faster and supports a wider variety of authentication mechanisms. IKEv2 does not have two phases of authentication, only a single phase. VIA supports the following with IKEv2:
| Username/password |
| X.509 certificate. Controllers running ArubaOS 6.1 or greater support OCSP for the purpose of validating that a certificate has not been revoked. |
| EAP (Extensible Authentication Protocol) including EAP-TLS and EAP-MSCHAPv2. |
| Certificates based authentication. |
| Smart cards that support a Smart Card Cryptographic Provider (SCCP) API within the operating system. VIA will look for an X.509 certificate in the operating system’s certificate store. A smart card supporting a SCCP will cause the certificate embedded within the smart card to automatically appear in the operating system’s certificate store. |
Suite B is a new set of cryptographic algorithms that are approved by the US Government for use in classified communication. Suite B provides the highest levels of security available today in public, commercial algorithms. Specifically, VIA provides support for:
| RFC 4869—Suite B Cryptographic Suites for IPsec |
| AES-GCM 128/256 for bulk data transfer |
| ECDSA for digital signatures, including support for X.509v3 certificates using ECDSA keys with p256/p384 curves |
| ECDH for key agreement using p256/p384 curves |
| SHA-256 and SHA-384 for message digests |
|
Suite B support requires a controller running ArubaOS 6.2 or greater with the Advanced Cryptography License installed. See Software Licenses for more information on licenses. |
The bSec protocol is a pre-standard protocol that has been proposed to the IEEE 802.11 committee as an alternative to 802.11i. The main difference between bSec and standard 802.11i is that bSec implements Suite B algorithms wherever possible. Notably, AES-CCM is replaced by AES-GCM, and the Key Derivation Function (KDF) of 802.11i is upgraded to support SHA-256 and SHA-384. In order to provide interoperability with standard Wi-Fi software drivers, bSec is implemented as a shim layer between standard 802.11 Wi-Fi and a Layer 3 protocol such as IP. A controller configured to advertise a bSec SSID will advertise an open network, however only bSec frames will be permitted on the network.
The bSec protocol requires that you use VIA 2.1. or greater on the client device.
The following steps are required to configure your controller for VIA. These steps are described in detail in the subsections that follow.
1. | Enable VPN Server Module—ArubaOS allows you to connect to the VIA controller using the default user roles. However, to configure and assign specific user roles you must install the Policy Enforcement Firewall Virtual Private Network (PEFV) license. For details, see Enable VPN Server Module. |
2. | Create VIA User Roles—VIA user roles contain access control policies for users connecting to your network using VIA. You can configure different VIA roles or use the default VIA role—default-via-role.For details, see Create VIA User Roles. |
3. | Create VIA Authentication Profile—A VIA authentication profile contains a server group for authenticating VIA users. The server group contains the list of authentication servers and server rules to derive user roles based on the user authentication. You can configure multiple VIA authentication profiles and / or use the default VIA authentication profile created with Internal server group. For details, see Create VIA Authentication Profile. |
4. | Create VIA Connection Profile— A VIA connection profile contains settings required by VIA to establish a secure connection to the controller. You can configure multiple VIA connection profiles. A VIA connection profile is always associated to a user role and all users belonging to that role will use the configured settings. If you do not assign a VIA connection profile to a user role, the default connection profile is used.For details, see Create VIA Connection Profile. |
5. | Configure VIA Web Authentication—A VIA web authentication profile contains an ordered list of VIA authentication profiles. The web authentication profile is used by end users to login to the VIA download page (https://<server-IP-address>/via) for downloading the VIA client. Only one VIA web authentication profile is available. If more than one VIA authentication profile is configured, users can view this list and select one during the client login. For details, see Configure VIA Web Authentication. |
6. | Associate VIA Connection Profile to User Role—A VIA connection profile has to be associated to a user role. Users will login by authenticating against the server group specified in the VIA authentication profile and are put into that user role. The VIA configuration settings are derived from the VIA connection profile attached to that user role. Default connection profile is used. For details, see Associate VIA Connection Profile to User Role. |
7. | Configure VIA Client WLAN Profiles—You can push WLAN profiles to end-user computers that use the Microsoft Windows Wireless Zero Config (WZC) service to configure and maintain their wireless networks. After the WLAN profiles are pushed to end-user computers, they are automatically displayed as an ordered list in the preferred networks. The VIA client WLAN profiles provisioned on the client can be selected from the VIA connection profile described in Step 6. For details, see Configure VIA Client WLAN Profiles. |
8. | Rebranding VIA and Downloading the Installer—You can use a custom logo on the VIA client and on the VIA download web page. For details, see Rebranding VIA and Downloading the Installer. |
9. | Download VIA Installer and Version File |
The following steps illustrate configuring your controller for VIA using the WebUI.
You must install the PEFV license to configure and assign user roles. See for licensing requirements.
To install a license:
1. | Navigate to | > > and select the tab on the right hand side.
2. | Paste the license key in the | text box and click the button.
To create VIA users roles:
1. | Navigate to | > > > .
2. | Click | to create new policies. Click after creating the user role and apply to save it to the configuration.
This following steps illustrate the procedure to create an authentication profile to authenticate users against a server group.
1. | Navigate to | > > > .
2. | Under the Profiles section, expand the VIA option. You can configure the following parameters for the authentication profile: |
Parameter |
Description |
Default Role |
This role that will be assigned to the authenticated users. |
Max Authentication Failures |
Specifies the maximum authentication failures allowed. The default is 0 (zero). |
Description |
A user friendly name or description for the authentication profile. |
3. | To create a new authentication profile: |
a. | Enter a name for the new authentication profile under the VIA Authentication Profiles section and click the button. |
b. | Expand the VIA | option and select the new profile name.
4. | To modify an authentication profile, select the profile name to configure the default role |
The following screenshot uses the default authentication profile.
Figure 1 VIA - Associate User Role to VIA Authentication Profile
5. | To use a different server group, Click Server Group under VIA Authentication Profile and select to create a new server group. |
Figure 2 VIA - Creating a new server group for VIA authentication profile
6. | Enter a name for the server group. |
Figure 3 VIA - Enter a name for the server group
To create VIA connection profile:
1. | Navigate to Connection Profile option and enter a name for the connection profile. | > > > tab. Click the VIA
Figure 4 VIA - Create VIA Connection Profile
2. | Click on the new VIA connection profile to configure the connection settings. |
3. | Click | to save your changes.
Configuration Option |
Description |
|||||||||
Basic VIA Connection Profile Settings |
||||||||||
VIA Servers |
Enter the following information about the VIA controller.
Click the controller you order them by clicking the Up and Down arrows. button after you have entered all the details. If you have more than one VIATo delete a controller from your list, select a controller and click the button. |
|||||||||
Client Auto-Login |
Enable or disable VIA client to auto login and establish a secure connection to the controller. Default: Enabled |
|||||||||
VIA tunneled networks |
A list of network destination (IP address and netmask) that the VIA client will tunnel through the controller. All other network destinations will be reachable directly by the VIA client.
|
|||||||||
Enable split-tunneling |
Enable or disable split tunneling.
Default: off |
|||||||||
Allow client-side logging |
Enable or disable client side logging. If enabled, VIA client will collect logs that can be sent to the support email-address for troubleshooting. Default: Enabled |
|||||||||
Enable IKEv2 |
Select this option to enable or disable the use of IKEv2 policies for VIA. |
|||||||||
Use Suite B Cryptography |
Select this option to use Suite B cryptography methods. You must install the Advanced Cryptography license to use the Suite B cryptography. See Working with Licenses for more information. |
|||||||||
IKEv2 Authentication method |
List of all IKEv2 authentication methods. |
|||||||||
VIA Client DNS Suffix List |
The DNS suffix list (comma separated) that has be set on the client once the VPN connection is established. Default: None. |
|||||||||
VIA Support E-mail Address |
The support e-mail address to which VIA users will send client logs. Default: None. |
|||||||||
Advanced VIA Connection Profile Settings |
||||||||||
VIA Servers |
Enter the following information about the VIA controller.
If you have more than one VIA controller you re-order them by clicking the Up and Down arrows. To delete a VIA server from your list, select a server and click Delete. |
|||||||||
Client Auto-Login | Select this checkbox to allow a VIA client to automatically log in and establish a secure connection to the controller. Default: Enabled | |||||||||
VIA Authentication Profiles to provision |
This is the list of VIA authentication profiles that will be displayed to users in the VIA client. See Create VIA Connection Profile
|
|||||||||
Allow client to auto-upgrade |
Enable or disable VIA client to automatically upgrade when an updated version of the client is available on the controller. Default: Enabled |
|||||||||
VIA tunneled networks | A list of network destination (IP address and netmask) that the VIA client will tunnel through the controller. All other network destinations will be reachable directly by the VIA client. Enter an IP address and network mask, then click Add button to add them to the tunneled networks list. To delete a network entry, select the IP address and click Delete. | |||||||||
Enable split-tunneling | Enable or disable split tunneling. If enabled, all traffic to the VIA tunneled networks ) will go through the controller and the rest is just bridged directly on the client. If disabled, all traffic will flow through the controller. Default: off | |||||||||
VIA Client WLAN profiles |
A list of VIA client WLAN profiles that needs to be pushed to the client machines that use Windows Zero Config (WZC) to configure or manage their wireless networks.
See Configure VIA Client WLAN Profiles for more information. |
|||||||||
VIA IKE V2 Policy |
List of available IKEv2 policies. |
|||||||||
VIA IKE Policy |
List of IKE policies that the VIA Client has to use to connect to the controller. These IKE policies are configured under > > > > . |
|||||||||
Use Windows Credentials |
Enable or disable the use of the Windows credentials to login to VIA. If enabled, the SSO (Single Sign-on) feature can be utilized by remote users to connect to internal resources. Default: Enabled |
|||||||||
VIA IPSec V2 Crypto Map |
List of all IPSec V2 that the VIA client uses to connect to the controller. |
|||||||||
VIA IPSec Crypto Map |
List of IPSec Crypto Map that the VIA client uses to connect to the controller. These IPSec Crypto Maps are configured in CLI using the crypto-local ipsec-map <ipsec-map-name> command. |
|||||||||
VIA Client Network Mask |
The network mask that has to be set on the client after the VPN connection is established. Default: 255.255.255.255 |
|||||||||
Content Security Gateway URL |
If split-tunnel forwarding is enabled, access to external (non-corporate) web sites will be verified by the specified content security service provider. |
|||||||||
Enable Supplicant | If enabled, VIA starts in bSec mode using L2 suite-b cryptography. This option is disabled by default. | |||||||||
Enable FIPS Module | Enable the VIA (Federal Information Processing Standard) FIPS module so VIA checks for FIPS compliance during startup. This option is disabled by default. | |||||||||
Auto-Launch Supplicant | Select this option to automatically connect to a configured WLAN network. | |||||||||
Lockdown all Settings | If enabled, all user options on the VIA client are disabled. | |||||||||
Domain Suffix in VIA Authentication | Enables a domain suffix on VIA Authentication, so client credentials are sent as domainname\username instead of just username.. | |||||||||
Enable Controllers Load Balance | Enable this option to allow the VIA client to failover to the next available selected randomly from the list as configured in the VIA Servers option. If disabled, VIA will failover to the next in the sequence of ordered list of VIA Servers. | |||||||||
Enable Domain Preconnect | Enable this option to allow users with lost or expired passwords to establish a VIA connection to corporate network. This option authenticates the user’s device and establishes a VIA connection that allows users to reset credentials and continue with corporate access. | |||||||||
VIA Banner Message Reappearance Timeout(minutes) | The maximum time (minutes) allowed before the VIA login banner reappears. Default: 1440 min | |||||||||
VIA Client Network Mask | VIA client network mask, in dotted decimal format. | |||||||||
Validate Server Certificate |
Enable or disable VIA from validating the server certificate presented by the controller. Default: Enabled |
|||||||||
VIA max session timeout |
The maximum time (minutes) allowed before the VIA session is disconnected. Default: 1440 min |
|||||||||
VIA Logon Script |
Specify the name of the logon script that must be executed after VIA establishes a secure connection. The logon script must reside in the client computer. |
|||||||||
VIA Logoff Script |
Specify the name of the log-off script that must be executed after the VIA connection is disconnected. The logoff script must reside in the client computer. |
|||||||||
Maximum reconnection attempts |
The maximum number of re-connection attempts by the VIA client due to authentication failures. Default: 3 |
|||||||||
VIA external download URL |
End users will use this URL to download VIA on their computers. |
|||||||||
Allow user to disconnect VIA |
Enable or disable users to disconnect their VIA sessions. Default: on |
|||||||||
Comma separated list of HTTP ports to be inspected (apart from default port 80) |
Traffic from the specified ports will be verified by the content security service provider. |
|||||||||
Enable Content Security Services |
Select this checkbox to enable content security service. You must install the Content Security Services licenses to use this option. See Working with Licenses for more information. |
|||||||||
Keep VIA window minimized |
Enable this option to minimize the VIA client to system tray during the connection phase. Applicable to VIA client installed in computers running Microsoft Windows operating system. |
|||||||||
Block traffic until VPN tunnel is up | If enabled, this feature will block network access until the VIA VPN connection is established. | |||||||||
Block traffic rules | Specify a hostname or IP address and network mask to define a whitelist of users to which the Block traffic until VPN tunnel is up setting will not apply. |
To configure VIA web authentication profile:
1. | Navigate to | > > > tab.
2. | Expand VIA Web Authentication and click on default profile. |
|
You can have only one profile (default) for VIA web authentication. |
3. | Select a profile from VIA | drop-down list box and click the button.
| To re-order profiles, click the Up and Down button. |
| To delete a profile, select a profile and click the | button.
4. | If a profile is not selected, the default VIA authentication profile is used. |
Figure 5 VIA - Select VIA Authentication Profile
To associate a VIA connection profile to a user role:
1. | Navigate to | > > > tab.
2. | Select the VIA user role (See Create VIA User Roles) and click the button. |
3. | In the Edit Role page, navigate to VIA Connection Profile and select the connection profile from the drop-down list box and click the button. |
4. | Click the | button to save the changes to the configuration.
Figure 6 VIA - Associate VIA Connection Profile to User Role
To configure a VIA client WLAN profile:
1. | Navigate to | > > .
2. | Expand Controller Profiles and select VIA . |
3. | In the Profile Details, enter a name for the WLAN profile and click the | button.
Figure 7 VIA - Create VIA Client WLAN Profile
4. | Expand the new WLAN profile and click SSID Profile. In the profile details page, select | from the SSDI Profile drop-down box and enter a name for the SSID profile.
5. | In the Basic tab, enter the network name (SSID) and select 802.11 security settings. Click the | button to continue.
Figure 8 VIA - Configure the SSID Profile
6. | You can now configure the SSID profile by select the SSID profile under VIA Client WLAN Profile option. |
Figure 9 VIA - Configure VIA Client WLAN Profile
The VIA client WLAN profile are similar to the authentication settings used to set up a wireless network in Microsoft Windows. The following table shows the Microsoft Windows equivalent settings:
Option |
Description |
|||||||||||||||
EAP-PEAP options |
Select the following options, if the EAP type is PEAP (Protected EAP):
|
|||||||||||||||
EAP Type |
Select an EAP type used by client to connect to wireless network. Default: EAP-PEAP |
|||||||||||||||
EAP-Certificate Options |
If you select EAP type as certificate, you can select one of the following options:
|
|||||||||||||||
Inner EAP Type |
Select the inner EAP type. Default: EAP-MSCHAPv2 |
|||||||||||||||
Inner EAP Authentication options: |
|
|||||||||||||||
Automatically connect when this WLAN is in range |
Select this option if you want VIA client to connect when this network (SSID) is available. |
|||||||||||||||
EAP-PEAP: Connect only to these servers |
Comma separated list of servers. |
|||||||||||||||
Enable IEEE 802.1X authentication for this network |
Select this option to enable 802.1X authentication for this network. Default: Enabled. |
|||||||||||||||
EAP-Certificate: Connect only to these certificates |
Comma separated list of servers. |
|||||||||||||||
Inner EAP-Certificate: Connect only to these servers |
Comma separated list of servers. |
|||||||||||||||
Connect even if this WLAN is not broadcasting |
Default: Disabled |
You can re-brand the VIA client and the VIA download page with your custom logo and HTML page.
Figure 10 VIA - Customize VIA logo, Landing Page, and download VIA Installer
To download the VIA installer and version file:
1. | Navigate to the | tab.
2. | Under VIA installers for various platforms section, click ansetup.msi to download the installation file. |
To use a custom logo on the VIA download page and the VIA client:
1. | Navigate to the | tab.
2. | Under Customize Logo section, browse and select a logo from your computer. Click the button to upload the image to the controller. |
| To use the default Aruba logo, click the button. |
To use a custom landing page for VIA web login:
1. | Navigate to the | tab.
2. | Under Customize Welcome HTML section, browse and select the HTML file from your computer. Click the controller. | button to upload the image to the
3. | The following variables are used in the custom HTML file: |
All variables in the custom HTML file have the following notation
| <% user %>: this will display the username. |
| <% ip %>: this will display the IP address of the user. |
| <% role %>: this will be display the user role. |
| <% logo %>: this is the custom logo (Example: <img src="<% logo %>">) |
| <% logout %>: the logout link (Example: <a href="<% logout %>">VIA Web Logout</a>) |
| <% download %>: the installer download link (Example: <a href="<% download %>">Click here to download VIA</a>) |
To use the default welcome page, click the
button.4. | Click the | button to continue.
The following steps illustrate configuring VIA Using the CLI. Install your Policy Enforcement Firewall Virtual Private Network (PEFV) license key. For detailed information on the VIA command line options, see the ArubaOS 6.2 Command Line Reference Guide.
(host) (config)# license add <key>
(host) (config) #user-role example-via-role
(host) (config-role) #access-list session "allowall" position 1
(host) (config-role) #ipv6 session-acl "v6-allowall" position 2
(host) (config) #aaa server-group "via-server-group"
(host) (Server Group "via-server-group") #auth-server "Internal" position 1
(host) (Server Group "via-server-group") #aaa authentication via auth-profile default
(host) (VIA Authentication Profile "default") #default-role example-via-role
(host) (VIA Authentication Profile "default") #desc "Default VIA Authentication Profile"
(host) (VIA Authentication Profile "default") #server-group "via-server-group"
(host) (config) #aaa authentication via connection-profile "via"
(host) (VIA Connection Profile "via") #server addr 202.100.10.100 internal-ip 10.11.12.13 desc "VIA Primary" position 0
(host) (VIA Connection Profile "via") #auth-profile "default" position 0
(host) (VIA Connection Profile "via") #tunnel address 10.0.0.0 netmask 255.255.255.0
(host) (VIA Connection Profile "via") #split-tunneling
(host) (VIA Connection Profile "via") #windows-credentials
(host) (VIA Connection Profile "via") #client-netmask 255.0.0.0
(host) (VIA Connection Profile "via") #dns-suffix-list example.com
(host) (VIA Connection Profile "via") #support-email via-support@example.com
Enter the following command after you create the client WLAN profile. See Configure VIA Client WLAN Profiles
(host) (VIA Connection Profile "via") #client-wlan-profile "via_corporate_wpa2" position 0
(host) (config) #aaa authentication via web-auth default
(host) (VIA Web Authentication "default") #auth-profile default position 0
|
You can have only one profile (default) for VIA web authentication. |
(host) (config) #user-role "example-via-role"
(host) (config-role) #via "via"
(host) (config) #wlan ssid-profile "via_corporate_wpa2"
(host) (SSID Profile "via_corporate_wpa2") #essid corporate_wpa2
(host) (SSID Profile "via_corporate_wpa2") #opmode wpa2-aes
(host) (SSID Profile "via_corporate_wpa2") #wlan client-wlan-profile "via_corporate_wpa2"
(host) (VIA Client WLAN Profile "via_corporate_wpa2") #ssid-profile "via_corporate_ssid"
For detailed configuration parameter information, see “wlan client-wlan-profile” command in the ArubaOS 6.2 Command Line Reference Guide.
This step can only be performed using the WebUI. See Rebranding VIA and Downloading the Installer.