Virtual Intranet Access

VIA is part of the Aruba remote networks solution intended for teleworkers and mobile users. VIA detects the network environment (trusted and untrusted) of the user and connects the users to the enterprise network. Trusted networks refers to a protected office network that allows users to directly access the corporate intranet. Untrusted networks are public Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. hotspots Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet. such as airports, cafes, or home network.

The VIA solution includes the VIA client, Mobility Master with managed device configuration.

VIA client—Remote workers and mobile users can install VIA on their computers and smart devices (iOS and Android)to connect to their enterprise network from remote locations.

Mobility Master and managed device configuration—To set up VIA for remote users, configure the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for VIA in the Mobility Master and configure the authentication profile and connection profile in the managed network.

VIA configuration settings are in the following sections of the WebUI:

In the Mobility Master node hierarchy, navigate to Configuration > Services > VPN > VIA.

In the Managed Network node hierarchy, navigate to Configuration > Authentication > L3 Authentication:

VIA Authentication

VIA Connection

VIA Web Authentication

 

For information on configuring the settings in these profiles, refer to the VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. 3.x User Guide.

Topics in this section also include:

License Requirements

Managed devices running ArubaOS 8.x require one of two available license types to support VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. users, the PEFV license, or the VIA license.

The PEFV license allows a network administrator to apply firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies to clients using a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to connect to the managed device. This PEFV Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license is purchased as a single device-specific license that enabled the functionality up to the full user capacity of the managed device.

ArubaOS 8.2.0.0 and later supports a sharable VIA license. Each VIA client or 3rd party VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client consumes a single VIA license. (VIA licenses are not consumed by site-to-site VPNs.) If a standalone controller or a managed device managed by Mobility Master has a PEFV Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license, that device will not consume VIA licenses from a licensing pool, as a single PEFV Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license supports all VIA and 3rd party VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients, up to the full user capacity for that controller or managed device.

Marking Outgoing Packets with ToS Bits

Starting from ArubaOS 8.3.0.0, you can configure the type of service-differentiated service code point (ToS Type of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service.-DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. ) for managed devices. This provides the ability for VIA to mark outgoing IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. and ESP packets with custom DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. . When a VIA client downloads the connection-profile, this value also gets pushed. VIA sets the configured DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value to outer IP header's ToS Type of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service. byte. You can use this to mark IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. packets with higher QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies./DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. than Best Effort.

The following procedure describes how to configure the tos-dscp parameter in the WebUI:

1. In the Managed Network node hierarchy, navigate to Configuration > System > Profiles and expand the Other Profiles menu.

2. Expand the VIA Connection profile option and select the name of an existing profile or click Add to create a new profile.

3. Click the default profile or other saved profile where you want to make changes.

4. In the VIA Connection Profile:<profile-name> pane on the right, enter a value for tos-dscp. The allowed value range is 0-63.

5. Click Submit.

6. Select Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the tos-dscp parameter in the managed device node:

(host) [mynode] (config) #aaa authentication via connection-profile <profile-name>

(host) [mynode] (VIA Connection Profile "<profile-name>") #tos-dscp <0-63>

For more details on configuring, installing, and using VIA, refer to the latest version of the Aruba VIA for Mobility Master User Guide.

VIA Client Audit

Starting from ArubaOS 8.4.0.0, when a user authenticates and accesses the VIA client, a notification with details about the last successful logon date and time stamp is provided.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enables to view the username and the last login information:

(host) [mm] #show via-lastlogin

VIA VPN Client Visibility

Starting from ArubaOS 8.4.0.0, the VIA client users are separately displayed on the WebUI for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client visibility. You can view the client users in the Dashboard > Clients > Remote Clients page in the WebUI.

Previously, you could view the VIA VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. users using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands, show user and show user-table. However, now the VIA VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. users information is published to a new GSM channel, via_user and can be seen using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command, show gsm debug channel via_user.

VIA VPN Client Capability

Starting from ArubaOS 8.4.0.0, the VIA client provides a new option (VIA connection profile knob) to enable forwarding of Layer-2 GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel. This feature allows the VIA client to send GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. packets containing Ethernet Ethernet is a network protocol for data transmission over LAN. frame by using the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel established with the managed device.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable the Layer-2 forwarding option in VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. connection profile:

(host) [mynode] (config) # aaa authentication via connection-profile default

(host) [mynode] (VIA Connection Profile "default") # l2-forwarding

VIA Unique Identifier

Starting ArubaOS 8.4.0.0, VIA uses the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  address of a client as the calling station id when sending an authentication request to ClearPass Policy Manager. In earlier versions, the IP address of the client was used as the calling station id.

VIA VPN Client Authentication

Starting from ArubaOS 8.5.0.0, the VIA connection profile includes EAP-GTC EAP – Generic Token Card. (non-tunneled). authentication option. This option ensures that the VIA client establishes IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. tunnel with the managed device.

The following procedure describes how to configure EAP-GTC EAP – Generic Token Card. (non-tunneled). in the WebUI:

1. In the Managed Network node hierarchy, navigate to Configuration > System > Profiles tab.

2. In the All Profiles list, expand the Other Profiles menu.

3. Expand the VIA Connection profile option and select the name of an existing profile or click + to create a new profile.

4. In the VIA Connection Profile:<profile-name> pane on the right, select eap-gtc from the IKEv2 Authentication method field drop-down list.

5. Click Submit.

6. Select Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands set the EAP-GTC EAP – Generic Token Card. (non-tunneled). as the authentication method:

(host) [mynode] (config) # aaa authentication via connection-profile <profile_name>

(host) [mynode] (VIA Connection Profile "profile_name") #ikev2auth eap-gtc