Configuring the VIA Controller

VIA configuration requires that you first configure VPN settings and then configure VIA settings. See Virtual Private Networks for information on configuring VPN settings on your controller.

Before you Begin

The following ports must be enabled before configuring the VIA controller.

TCP 443—During the initializing phase, VIA uses HTTPS connections to perform trusted network and captive portal checks against the controller. It is mandatory that you enable port 443 on your network to allow VIA to perform these checks.
UDP 4500—Required for IPSec transport
UDP 500—Required for VIA 1.0 on Mac OS

Supported Authentication Mechanisms

VIA 1.x and VIA 2.x support different authentication mechanisms:

Authentication mechanisms supported in VIA 1.x

Authentication is performed using IKEv1 only. Phase 0 authentication, which authenticates the VPN client, can be performed using either a pre-shared key or an X.509 certificate (the X.509 certificate must appear in the operating system’s “user” certificate store.). If certificates are used for IKE phase 0 authentication, it must be followed by username/password authentication.

The second authentication phase is performed using xAuth, which requires a username and password. The username and password is authenticated against the controller’s internal database, a RADIUS server, or an LDAP server. If a RADIUS server is used, it must support the PAP protocol.

Support for two-factor authentication such as token cards is provided in VIA 1.x. Token product like RSA tokens and other token cards are also supported. This includes support for new-pin and next-pin.

Authentication mechanisms supported in VIA 2.x

In addition to the authentication methods supported by VIA 1.x, VIA 2.x adds support for IKEv2. IKEv2 is an updated version that is faster and supports a wider variety of authentication mechanisms. IKEv2 does not have two phases of authentication, only a single phase. VIA supports the following with IKEv2:

Username/password
X.509 certificate. Controllers running ArubaOS 6.1 or greater support OCSP for the purpose of validating that a certificate has not been revoked.
EAP (Extensible Authentication Protocol) including EAP-TLS and EAP-MSCHAPv2.

Other authentication methods:

Certificates based authentication.
Smart cards that support a Smart Card Cryptographic Provider (SCCP) API within the operating system. VIA will look for an X.509 certificate in the operating system’s certificate store. A smart card supporting a SCCP will cause the certificate embedded within the smart card to automatically appear in the operating system’s certificate store.

Suite B Cryptography Support

Suite B is a new set of cryptographic algorithms that are approved by the US Government for use in classified communication. Suite B provides the highest levels of security available today in public, commercial algorithms. Specifically, VIA provides support for:

RFC 4869—Suite B Cryptographic Suites for IPsec
AES-GCM 128/256 for bulk data transfer
ECDSA for digital signatures, including support for X.509v3 certificates using ECDSA keys with p256/p384 curves
ECDH for key agreement using p256/p384 curves
SHA-256 and SHA-384 for message digests

 

Suite B support requires a controller running ArubaOS 6.2 or greater with the Advanced Cryptography License installed. See Software Licenses for more information on licenses.

802.11 Suite-B

The bSec protocol is a pre-standard protocol that has been proposed to the IEEE 802.11 committee as an alternative to 802.11i. The main difference between bSec and standard 802.11i is that bSec implements Suite B algorithms wherever possible. Notably, AES-CCM is replaced by AES-GCM, and the Key Derivation Function (KDF) of 802.11i is upgraded to support SHA-256 and SHA-384. In order to provide interoperability with standard Wi-Fi software drivers, bSec is implemented as a shim layer between standard 802.11 Wi-Fi and a Layer 3 protocol such as IP. A controller configured to advertise a bSec SSID will advertise an open network, however only bSec frames will be permitted on the network.

The bSec protocol requires that you use VIA 2.1. or greater on the client device.

Configuring VIA Settings

The following steps are required to configure your controller for VIA. These steps are described in detail in the subsections that follow.

1. Enable VPN Server Module—ArubaOS allows you to connect to the VIA controller using the default user roles. However, to configure and assign specific user roles you must install the Policy Enforcement Firewall Virtual Private Network (PEFV) license. For details, see Enable VPN Server Module.
2. Create VIA User Roles—VIA user roles contain access control policies for users connecting to your network using VIA. You can configure different VIA roles or use the default VIA role—default-via-role.For details, see Create VIA User Roles.
3. Create VIA Authentication Profile—A VIA authentication profile contains a server group for authenticating VIA users. The server group contains the list of authentication servers and server rules to derive user roles based on the user authentication. You can configure multiple VIA authentication profiles and / or use the default VIA authentication profile created with Internal server group. For details, see Create VIA Authentication Profile.
4. Create VIA Connection Profile— A VIA connection profile contains settings required by VIA to establish a secure connection to the controller. You can configure multiple VIA connection profiles. A VIA connection profile is always associated to a user role and all users belonging to that role will use the configured settings. If you do not assign a VIA connection profile to a user role, the default connection profile is used.For details, see Create VIA Connection Profile.
5. Configure VIA Web Authentication—A VIA web authentication profile contains an ordered list of VIA authentication profiles. The web authentication profile is used by end users to login to the VIA download page (https://<server-IP-address>/via) for downloading the VIA client. Only one VIA web authentication profile is available. If more than one VIA authentication profile is configured, users can view this list and select one during the client login. For details, see Configure VIA Web Authentication.
6. Associate VIA Connection Profile to User Role—A VIA connection profile has to be associated to a user role. Users will login by authenticating against the server group specified in the VIA authentication profile and are put into that user role. The VIA configuration settings are derived from the VIA connection profile attached to that user role. Default connection profile is used. For details, see Associate VIA Connection Profile to User Role.
7. Configure VIA Client WLAN Profiles—You can push WLAN profiles to end-user computers that use the Microsoft Windows Wireless Zero Config (WZC) service to configure and maintain their wireless networks. After the WLAN profiles are pushed to end-user computers, they are automatically displayed as an ordered list in the preferred networks. The VIA client WLAN profiles provisioned on the client can be selected from the VIA connection profile described in Step 6. For details, see Configure VIA Client WLAN Profiles.
8. Rebranding VIA and Downloading the Installer—You can use a custom logo on the VIA client and on the VIA download web page. For details, see Rebranding VIA and Downloading the Installer.
9. Download VIA Installer and Version File

Using the WebUI to Configure VIA

The following steps illustrate configuring your controller for VIA using the WebUI.

Enable VPN Server Module

You must install the PEFV license to configure and assign user roles. See   for licensing requirements.

To install a license:

1. Navigate to Configuration > Network > Controller and select the Licenses tab on the right hand side.
2. Paste the license key in the Add New License key text box and click the Add button.

Create VIA User Roles

To create VIA users roles:

1. Navigate to Configuration > Security > Access Control > User Roles.
2. Click Add to create new policies. Click Done after creating the user role and apply to save it to the configuration.

Create VIA Authentication Profile

This following steps illustrate the procedure to create an authentication profile to authenticate users against a server group.

1. Navigate to Configuration > Security > Authentication > L3 Authentication.
2. Under the Profiles section, expand the VIA Authentication Profile option. You can configure the following parameters for the authentication profile:

Table 1: VIA - Authentication Profile Parameters

Parameter

Description

Default Role

This role that will be assigned to the authenticated users.

Max Authentication Failures

Specifies the maximum authentication failures allowed. The default is 0 (zero).

Description

A user friendly name or description for the authentication profile.

3. To create a new authentication profile:
a. Enter a name for the new authentication profile under the VIA Authentication Profiles section and click the Add button.
b. Expand the VIA Authentication Profiles option and select the new profile name.
4. To modify an authentication profile, select the profile name to configure the default role

The following screenshot uses the default authentication profile.

Figure 1  VIA - Associate User Role to VIA Authentication Profile

Click to view a larger size.

5. To use a different server group, Click Server Group under VIA Authentication Profile and select New to create a new server group.

Figure 2  VIA - Creating a new server group for VIA authentication profile

 

Click to view a larger size.

6. Enter a name for the server group.

Figure 3  VIA - Enter a name for the server group

Click to view a larger size.

Create VIA Connection Profile

To create VIA connection profile:

1. Navigate to Configuration > Security > Authentication > L3 Authentication tab. Click the VIA Connection Profile option and enter a name for the connection profile.

Figure 4  VIA - Create VIA Connection Profile

Click to view a larger size.

2. Click on the new VIA connection profile to configure the connection settings. VIA Connection profile settings are divided into two tabs, Basic and Advanced. The Basic tab displays only those configuration settings that often need to be adjusted to suit a specific network. The Advanced tab shows all configuration settings, including settings that do not need frequent adjustment or should be kept at their default values. If you change a setting on one tab then click and display the other tab without saving your configuration, that setting will revert to its previous value.
3. Click Apply to save your changes.

Table 2: VIA - Connection Profile Options

Configuration Option

Description

Basic VIA Connection Profile Settings

VIA Servers

Enter the following information about the VIA controller.

Controller Hostname/IP Address: This is the public IP address or the DNS hostname of the VIA controller. Users will connect to remote server using this IP address or the hostname.
Controller Internal IP Address: This is the IP address of any of the VLAN interface IP addresses belongs to this controller.
Controller Description: This is a human-readable description of the controller.

Click the Add button after you have entered all the details. If you have more than one VIA controller you order them by clicking the Up and Down arrows.

To delete a controller from your list, select a controller and click the Delete button.

Client Auto-Login

Enable or disable VIA client to auto login and establish a secure connection to the controller.

Default: Enabled

VIA tunneled networks

A list of network destination (IP address and netmask) that the VIA client will tunnel through the controller. All other network destinations will be reachable directly by the VIA client.

Enter an IP address & network mask and click the Add button to add to the tunneled networks list.
To delete a network entry, select the IP address and click the Delete button.

Enable split-tunneling

Enable or disable split tunneling.

If enabled, all traffic to the VIA tunneled networks (Step 3 in this table) will go through the controller and the rest is just bridged directly on the client.
If disabled, all traffic will flow through the controller.

Default: off

Allow client-side logging

Enable or disable client side logging. If enabled, VIA client will collect logs that can be sent to the support email-address for troubleshooting.

Default: Enabled

Enable IKEv2

Select this option to enable or disable the use of IKEv2 policies for VIA.

Use Suite B Cryptography

Select this option to use Suite B cryptography methods. You must install the Advanced Cryptography license to use the Suite B cryptography. See Working with Licenses for more information.

IKEv2 Authentication method

List of all IKEv2 authentication methods.

VIA Client DNS Suffix List

The DNS suffix list (comma separated) that has be set on the client once the VPN connection is established.

Default: None.

VIA Support E-mail Address

The support e-mail address to which VIA users will send client logs.

Default: None.

Advanced VIA Connection Profile Settings

VIA Servers

Enter the following information about the VIA controller.

Hostname/IP Address: This is the public IP address or the DNS hostname of your VIA Server / controller. Users will connect to this remote server using the IP address or the hostname.
Internal IP Address: This is the IP address of any of the VLAN interface IP addresses belonging to this VIA server.
Description: This is a human-readable description of the VIA server. Click the Add button after you have entered all the details.

If you have more than one VIA controller you re-order them by clicking the Up and Down arrows. To delete a VIA server from your list, select a server and click Delete.

Client Auto-Login Select this checkbox to allow a VIA client to automatically log in and establish a secure connection to the controller. Default: Enabled

VIA Authentication Profiles to provision

This is the list of VIA authentication profiles that will be displayed to users in the VIA client. See Create VIA Connection Profile

Select an authentication profile and click the Add button to add to the authentication profiles list.
You can change the order of the list by clicking the Up and Down arrows.
To delete an authentication profile, select a profile name and click the Delete button.

Allow client to auto-upgrade

Enable or disable VIA client to automatically upgrade when an updated version of the client is available on the controller.

Default: Enabled

VIA tunneled networks A list of network destination (IP address and netmask) that the VIA client will tunnel through the controller. All other network destinations will be reachable directly by the VIA client. Enter an IP address and network mask, then click Add button to add them to the tunneled networks list. To delete a network entry, select the IP address and click Delete.
Enable split-tunneling Enable or disable split tunneling. If enabled, all traffic to the VIA tunneled networks ) will go through the controller and the rest is just bridged directly on the client. If disabled, all traffic will flow through the controller. Default: off

VIA Client WLAN profiles

A list of VIA client WLAN profiles that needs to be pushed to the client machines that use Windows Zero Config (WZC) to configure or manage their wireless networks.

Select a WLAN profile and click the Add button to add to the client WLAN profiles list.
To delete an entry, select the profile name and click the Delete button.

See Configure VIA Client WLAN Profiles for more information.

VIA IKE V2 Policy

List of available IKEv2 policies.

VIA IKE Policy

List of IKE policies that the VIA Client has to use to connect to the controller. These IKE policies are configured under Configuration > Advanced Services > VPN Services > IPSEC > IKE Policies.

Use Windows Credentials

Enable or disable the use of the Windows credentials to login to VIA. If enabled, the SSO (Single Sign-on) feature can be utilized by remote users to connect to internal resources.

Default: Enabled

VIA IPSec V2 Crypto Map

List of all IPSec V2 that the VIA client uses to connect to the controller.

VIA IPSec Crypto Map

List of IPSec Crypto Map that the VIA client uses to connect to the controller. These IPSec Crypto Maps are configured in CLI using the crypto-local ipsec-map <ipsec-map-name> command.

VIA Client Network Mask

The network mask that has to be set on the client after the VPN connection is established.

Default: 255.255.255.255

Content Security Gateway URL

If split-tunnel forwarding is enabled, access to external (non-corporate) web sites will be verified by the specified content security service provider.

Enable Supplicant If enabled, VIA starts in bSec mode using L2 suite-b cryptography. This option is disabled by default.
Enable FIPS Module Enable the VIA (Federal Information Processing Standard) FIPS module so VIA checks for FIPS compliance during startup. This option is disabled by default.
Auto-Launch Supplicant Select this option to automatically connect to a configured WLAN network.
Lockdown all Settings If enabled, all user options on the VIA client are disabled.
Domain Suffix in VIA Authentication Enables a domain suffix on VIA Authentication, so client credentials are sent as domainname\username instead of just username..
Enable Controllers Load Balance Enable this option to allow the VIA client to failover to the next available selected randomly from the list as configured in the VIA Servers option. If disabled, VIA will failover to the next in the sequence of ordered list of VIA Servers.
Enable Domain Preconnect Enable this option to allow users with lost or expired passwords to establish a VIA connection to corporate network. This option authenticates the user’s device and establishes a VIA connection that allows users to reset credentials and continue with corporate access.
VIA Banner Message Reappearance Timeout(minutes) The maximum time (minutes) allowed before the VIA login banner reappears. Default: 1440 min
VIA Client Network Mask VIA client network mask, in dotted decimal format.

Validate Server Certificate

Enable or disable VIA from validating the server certificate presented by the controller.

Default: Enabled

VIA max session timeout

The maximum time (minutes) allowed before the VIA session is disconnected.

Default: 1440 min

VIA Logon Script

Specify the name of the logon script that must be executed after VIA establishes a secure connection. The logon script must reside in the client computer.

VIA Logoff Script

Specify the name of the log-off script that must be executed after the VIA connection is disconnected. The logoff script must reside in the client computer.

Maximum reconnection attempts

The maximum number of re-connection attempts by the VIA client due to authentication failures.

Default: 3

VIA external download URL

End users will use this URL to download VIA on their computers.

Allow user to disconnect VIA

Enable or disable users to disconnect their VIA sessions.

Default: on

Comma separated list of HTTP ports to be inspected (apart from default port 80)

Traffic from the specified ports will be verified by the content security service provider.

Enable Content Security Services

Select this checkbox to enable content security service. You must install the Content Security Services licenses to use this option. See Working with Licenses for more information.

Keep VIA window minimized

Enable this option to minimize the VIA client to system tray during the connection phase. Applicable to VIA client installed in computers running Microsoft Windows operating system.

Block traffic until VPN tunnel is up If enabled, this feature will block network access until the VIA VPN connection is established.
Block traffic rules Specify a hostname or IP address and network mask to define a whitelist of users to which the Block traffic until VPN tunnel is up setting will not apply.

Configure VIA Web Authentication

To configure VIA web authentication profile:

1. Navigate to Configuration > Security > Authentication > L3 Authentication tab.
2. Expand VIA Web Authentication and click on default profile.

 

You can have only one profile (default) for VIA web authentication.

3. Select a profile from VIA Authentication Profile drop-down list box and click the Add button.
To re-order profiles, click the Up and Down button.
To delete a profile, select a profile and click the Delete button.
4. If a profile is not selected, the default VIA authentication profile is used.

Figure 5  VIA - Select VIA Authentication Profile

Click to view a larger size.

Associate VIA Connection Profile to User Role

To associate a VIA connection profile to a user role:

1. Navigate to Configuration > Security > Access Control > User Roles tab.
2. Select the VIA user role (See Create VIA User Roles) and click the Edit button.
3. In the Edit Role page, navigate to VIA Connection Profile and select the connection profile from the drop-down list box and click the Change button.
4. Click the Apply button to save the changes to the configuration.

Figure 6  VIA - Associate VIA Connection Profile to User Role

Click to view a larger size.

 

Configure VIA Client WLAN Profiles

To configure a VIA client WLAN profile:

1. Navigate to Configuration > Advanced Services > All Profiles.
2. Expand Controller Profiles and select VIA Client WLAN Profile.
3. In the Profile Details, enter a name for the WLAN profile and click the Add button.

Figure 7  VIA - Create VIA Client WLAN Profile

Click to view a larger size.

4. Expand the new WLAN profile and click SSID Profile. In the profile details page, select New from the SSDI Profile drop-down box and enter a name for the SSID profile.
5. In the Basic tab, enter the network name (SSID) and select 802.11 security settings. Click the Apply button to continue.

Figure 8  VIA - Configure the SSID Profile

Click to view a larger size.

6. You can now configure the SSID profile by select the SSID profile under VIA Client WLAN Profile option.

Figure 9  VIA - Configure VIA Client WLAN Profile

Click to view a larger size.

The VIA client WLAN profile are similar to the authentication settings used to set up a wireless network in Microsoft Windows. The following table shows the Microsoft Windows equivalent settings:

Table 3: Configure VIA client WLAN profile

Option

Description

EAP-PEAP options

Select the following options, if the EAP type is PEAP (Protected EAP):

validate-server-certificate: Select this option to validate server certificates.
enable-fast-reconnect: Select this option to allow fast reconnect.
enable-quarantine-checks: Select this option to perform quarantine checks.
disconnect-if-no-cryptobinding-tlv: Select this option to disconnect if server does not present cryptobinding TLV.
dont-allow-user-authorization: Select this to disable prompts to user for authorizing new servers or trusted certification authorities.

EAP Type

Select an EAP type used by client to connect to wireless network.

Default: EAP-PEAP

EAP-Certificate Options

If you select EAP type as certificate, you can select one of the following options:

mschapv2-use-windows-credentials
use-smartcard
simple-certificate-selection
use-different-name
validate-server-certificate

Inner EAP Type

Select the inner EAP type.

Default: EAP-MSCHAPv2

Inner EAP Authentication options:

mschapv2-use-windows-credentials: Automatically use the Windows logon name and password (and domain if any)
use-smartcard: Use a smart card
simple-certificate-selection: Use a certificate on the users computer or use a simple certificate selection method (recommended)
validate-server-certificate: Validate the server certificate
use-different-name: Use a different user name for the connection (and not the CN on the certificate)

Automatically connect when this WLAN is in range

Select this option if you want VIA client to connect when this network (SSID) is available.

EAP-PEAP: Connect only to these servers

Comma separated list of servers.

Enable IEEE 802.1X authentication for this network

Select this option to enable 802.1X authentication for this network.

Default: Enabled.

EAP-Certificate: Connect only to these certificates

Comma separated list of servers.

Inner EAP-Certificate: Connect only to these servers

Comma separated list of servers.

Connect even if this WLAN is not broadcasting

Default: Disabled

Rebranding VIA and Downloading the Installer

You can re-brand the VIA client and the VIA download page with your custom logo and HTML page.

Figure 10  VIA - Customize VIA logo, Landing Page, and download VIA Installer

Click to view a larger size.

Download VIA Installer and Version File

To download the VIA installer and version file:

1. Navigate to the Configuration > Advanced Services > VPN Services > VIA tab.
2. Under VIA installers for various platforms section, click ansetup.msi to download the installation file.

Customize VIA Logo

To use a custom logo on the VIA download page and the VIA client:

1. Navigate to theConfiguration > Advanced Services > VPN Services > VIA tab.
2. Under Customize Logo section, browse and select a logo from your computer. Click the Upload button to upload the image to the controller.
To use the default Aruba logo, click the Reset button.

Customize the Landing Page for Web-based Login

To use a custom landing page for VIA web login:

1. Navigate to the Configuration > Advanced Services > VPN Services > VIA tab.
2. Under Customize Welcome HTML section, browse and select the HTML file from your computer. Click the Upload button to upload the image to the controller.
3. The following variables are used in the custom HTML file:

All variables in the custom HTML file have the following notation

<% user %>: this will display the username.
<% ip %>: this will display the IP address of the user.
<% role %>: this will be display the user role.
<% logo %>: this is the custom logo (Example: <img src="<% logo %>">)
<% logout %>: the logout link (Example: <a href="<% logout %>">VIA Web Logout</a>)
<% download %>: the installer download link (Example: <a href="<% download %>">Click here to download VIA</a>)

To use the default welcome page, click the Reset button.

4. Click the Apply button to continue.

Using the CLI to Configure VIA

The following steps illustrate configuring VIA Using the CLI. Install your Policy Enforcement Firewall Virtual Private Network (PEFV) license key. For detailed information on the VIA command line options, see the ArubaOS 6.2 Command Line Reference Guide.

(host) (config)# license add <key>

Create VIA roles

(host) (config) #user-role example-via-role

(host) (config-role) #access-list session "allowall" position 1

(host) (config-role) #ipv6 session-acl "v6-allowall" position 2

Create VIA authentication profiles

(host) (config) #aaa server-group "via-server-group"

(host) (Server Group "via-server-group") #auth-server "Internal" position 1

(host) (Server Group "via-server-group") #aaa authentication via auth-profile default

(host) (VIA Authentication Profile "default") #default-role example-via-role

(host) (VIA Authentication Profile "default") #desc "Default VIA Authentication Profile"

(host) (VIA Authentication Profile "default") #server-group "via-server-group"

Create VIA connection profiles

(host) (config) #aaa authentication via connection-profile "via"

(host) (VIA Connection Profile "via") #server addr 202.100.10.100 internal-ip 10.11.12.13 desc "VIA Primary" position 0

(host) (VIA Connection Profile "via") #auth-profile "default" position 0

(host) (VIA Connection Profile "via") #tunnel address 10.0.0.0 netmask 255.255.255.0

(host) (VIA Connection Profile "via") #split-tunneling

(host) (VIA Connection Profile "via") #windows-credentials

(host) (VIA Connection Profile "via") #client-netmask 255.0.0.0

(host) (VIA Connection Profile "via") #dns-suffix-list example.com

(host) (VIA Connection Profile "via") #support-email via-support@example.com

To enable content security services (CSS), do the following. CSS is available only if you have installed the content security services license. See “Licenses” on page 86 for more information.

(host) (VIA Connection Profile "via") #enable-csec

(host) (VIA Connection Profile "via") #csec-gateway-url https://css.example.com

(host) (VIA Connection Profile "via") #csec-http-ports 8080,4343

Enter the following command after you create the client WLAN profile. See Configure VIA Client WLAN Profiles

(host) (VIA Connection Profile "via") #client-wlan-profile "via_corporate_wpa2" position 0

Configure VIA web authentication

(host) (config) #aaa authentication via web-auth default

(host) (VIA Web Authentication "default") #auth-profile default position 0

 

You can have only one profile (default) for VIA web authentication.

Associate VIA connection profile to user role

(host) (config) #user-role "example-via-role"

(host) (config-role) #via "via"

Configure VIA client WLAN profiles

(host) (config) #wlan ssid-profile "via_corporate_wpa2"

(host) (SSID Profile "via_corporate_wpa2") #essid corporate_wpa2

(host) (SSID Profile "via_corporate_wpa2") #opmode wpa2-aes

(host) (SSID Profile "via_corporate_wpa2") #wlan client-wlan-profile "via_corporate_wpa2"

(host) (VIA Client WLAN Profile "via_corporate_wpa2") #ssid-profile "via_corporate_ssid"

For detailed configuration parameter information, see “wlan client-wlan-profile” command in the ArubaOS 6.2 Command Line Reference Guide.

Customize VIA logo, landing page and downloading installer

This step can only be performed using the WebUI. See Rebranding VIA and Downloading the Installer.