VIA Release Notes
Select any of the VIA client platforms to view release notes for VIA releases supporting devices of that type.
The VIA GUI now contains a link to the worldwide HPE privacy statements.
t page of theThere are no new resolved issues in this release.
There are no new known issues in this release.
Support for L2 VPN/Secure Boot on Windows 10 Clients
VIA 3.4.1 is enhanced to support 64-bit clients running the following Windows releases while using Secure Boot operating mode.
Windows 10 Enterprise LTSC 2019
Windows 10 Enterprise 2016 LTSB
Windows 10 Enterprise 2015 LTSB
In previous releases, some Windows 10 clients would receive the error “A digitally signed driver is required: Windows blocked the installation of a digitally unsigned driver” when installing the VIA client.
|
This feaure is only supported on clients running 64-bit versions of Windows 10. Clients running 32-bit versions of Windows should not upgrade to this release of VIA, and should remain on VIA for Windows 3.2.x. |
Bug ID |
Description |
VIA-2286 |
: Clients that upgrade to supported versions of Windows 10 after installing VIA 3.4.1 are not able to use the L2 VPN functionality. VIA driver does not install this feature on Windows 7 or Windows 8, so support for this feature is not available after the client upgrades to Windows 10. : The L2 VPN functionality is not supported on Secure Boot mode in clients running Windows 7 or Windows 8. TheVIA 3.4.1 to use L2 VPN functionality. : Upgrade a Windows 7 or Windows 8 client to a supported Windows 10 Enterprise release, then reinstall |
VIA-2314 |
Symptom: Windows 7 and Windows 8 clients display the error message "Windows can't verify the publisher of this driver software" when installing the VIA application. Scenario: This error message occurs only during initial installation, and will not impact the installation process. VIA client will operate as expected after installation. : Accept the error message by selecting the option. The |
VIA-2315 |
VIA 3.3.0 and later releases fail to install on clients running 32-bit versions of Windows 10. :VIA 3.3.0 Windows edition does not correctly operate with 32-bit clients, and will fail to install. : The L2 driver introduced inVIA 3.2 releases. : Clients using 32-bit Windows 10 versions should remain at |
Bug ID |
Description |
VIA-1883 |
VIA client may fail to correctly auto-connect after the client wakes from sleep mode. : AVIA for Windows 3.4.1. |
VIA-2194 |
VIA clients displayed the error message "Aruba virtual adapter could not be configured" when attempting to connect. :Scenario: This issue impacted clients running Window Enterprise v1709 or v1803, and is resolved in VIA for Windows 3.4.1. |
VIA-2201 |
VIA clients displayed the error message “ISAKMP stack could not be initialized” when attempting to connect. :Scenario: This issue is resolved for Windows clients in VIA for Windows 3.4.1. |
VIA-2248 |
Symptom: VIA failed to connect on Windows clients authenticating using a smart card with an ECDHE certificate. Scenario: This issue is resolved for Windows clients in VIA for Windows 3.4.1. |
VIA-2257 |
Symptom: Windows VIA clients that authenticated using a smart card with an ECDHE certificate did not correctly fail over to a secondary server. VIA 3.4.1 for Windows resolves an issue where the VIA application could fail to respond when the connection failed over to the secondary server defined in the client's VIA connection profile. : |
Support for One Time Password authentication using IKEv2
VIA 3.4.0 introduces support for One Time Password (OTP) authentication in IKEv2 flows. When enabled, this feature supports a higher level of security associated with IKEv2 by requiring users to authenticate their VPN connections using OTP rather than using a certificate or pre-shared key. Previous releases of VIA for Windows supported the use of OTP authentication with IKEv1 only.
|
This feature is supported on VIA 3.4.0 when deployed in conjunction with ArubaOS 8.5 or later and ClearPass Policy Manager 6.7.7 or later. For the highest level of security, best practices also includes establishing a RadSec session between the ArubaOS controller and the ClearPass Policy Manager server to secure traffic between these devices. |
To enable OTP authentication using IKEv2, you must configure EAP-GTC as the authentication method on the ArubaOS controller:
1. In the Managed Network node hierarchy, navigate to .
2. In the , select from the drop-down list.
3. Click .
4. Select .
5. In the window, select the check box and click .
IKEv2 Flows have Increased Fault Tolerance
VIA 3.4.0 provides greater fault tolerance for network outages due to events such as a down network adapter, an unplugged network cable, or an unreachable ArubaOS controller. If a network disruption is resolved in less than a minute, the VIA IKEv2 session can continue without disruption. If the disruption lasts a minute or longer, the session is disconnected.
During the first minute of a network disruption, VIA displays the following modified icon the system tray to warn users of a potential disruption to their current session.
There are no new known issues in this release.
There are no new known issues in this release.
Enhanced Support for IKEv1 and Suite B
VIA 3.3.2 supports IKEv1VPN tunnels created with ArubaOS IKEv1policies and IPSec dynamic maps that use the following settings:
IKEv1 policy settings:
Encryption: AES256
Hash Algorithm: sha2-384-192
Authentication: Pre-Share
Diffie Hellman Group: 20
IKEv1 IPSec dynamic maps:
PFS group: group20
Transform: esp-aes256-gcm
To use a new ArubaOS IKEv1 policy for a VIA tunnel, you must select that policy in the ArubaOS VIA Connection profile.
There are no new known issues in this release.
Bug ID |
Description |
137108 177232 |
Symptom: VIA failed to connect correctly and displayed the error "Aruba virtual adapter could not be configured." Scenario: This issue impacted clients running Windows 10, and occurred when VIA's attempt to configure an IP address on a virtual adapter took longer than 15 seconds, causing the operation to time out. |
Support for Layer-2 Forwarding
VIA 3.3.1 and ArubaOS 8.4 introduces support for end-to-end layer-2 connectivity, allowing VIA to connect devices in the same Layer-2 network and operate in a similar manner to an Aruba Remote Access Point (RAP).
Starting with ArubaOS 8.4, the VIA connection profile on the controller includes a new option which can be selected to enable Layer-2 forwarding. (This feature is disabled by default.) When this feature is enabled on the controller and the VIA client has made a VPN connection to the controller, the VIA client will activate its internal virtual-hardware L2 adapter. The traffic generated by this adapter will then be routed to the controller for processing, allowing the VIA client to send GRE packets containing Ethernet frames using the IPSec tunnel already established with the controller. GRE packets received from the IPSec tunnel are then processed and forwarded according to the L2 routing rules on the controller. All L2 packets destined (as per client MAC address) to the VIA client are also processed and encapsulated in a GRE packet over the IPSec tunnel.
|
Best practices is to avoid enabling the option and the feature at the same time. The L2 forwarding feature will impact the behavior of the split tunneling feature, so devices using both these features simultaneously will operate in a mode more like full tunnel than split tunnel. But this is not a known issue, but an effect of the design of these features. |
There are no new known issues in this release.
There are no new known issues in this release.
VIA Client Displays Last Logon Date
This Release of VIA for Windows introduces a new security enhancement that displays the date and time of the previous VIA login for that client each time the VIA client is successfully connected. This information appears on the Home screen, as well as the Settings > Network window in the VIA Client GUI. If VIA is running in minimized mode, (either because it is configured to always be minimized or it has been minimized by the user) and VIA appears as a system tray icon, the previous logon date and time appears as a popup balloon message above the system tray once the VIA connection is complete.
Support for SSO-Based Authentication for VIA Profile Download
VIA 3.3.0 for Windows supports Security Assertion Markup Language (SAML) Single-Sign On (SSO), allowing VIA to manage VIA client access based on the attributes in the SAML response issued by the authenticating identity provider (IDP). When this feature is enabled and a VIA user submit a username and password through the VIA client, the VIA user is redirected to an external IDP for authentication. The Aruba controller then uses the attributes returned during the SAML assertion to derive the role and/or dynamic ACLs for that VIA client. The following new parameters have been added to the VIA authentication profile to enable this feature in ArubaOS 8.0.1.0-SP.
Parameter |
Description |
SSO based authentication for VIA Profile download |
Select this option to enable SSO-based authentication for clients downloading a VIA profile. This feature is disabled by default. |
Enabled SSO redirect URI and port |
Use this parameter to direct the request to a service provider URI. By default, ClearPass Policy Manager functions as the service provider for SAML, and can redirect the user to a ClearPass authentication page, or the authentication page of an external IDP. |
SSO ACL server host |
IP address or Fully Qualified Domain Name (FQDN) of the external ACL server. |
SSO ACL server configuration |
The ACL server configuration parameter requires the following information for the remote server: Server user name Server password Server URI Server Port |
New vendor settings have also been added to ClearPass Policy Manager to support this feature. Starting with ClearPass Policy Manager 6.7.5, the Web Logins configuration includes the new vendor settings template
. Once this is template configured and the IP address of the controller is added to the template, the client will always be authenticated will always against the SAML IDP configured in CPPM. After authentication, the following parameters are sent to <controller>/via/sso.sso_user – username entered by the user in the SAML IDP
sso_cookie – SSO cookie
There are no new known issues in this release.
There are no new known issues in this release.
There are no new features in this release .
There are no new known issues in this release
Bug ID |
Description |
137108 177232 |
Symptom: VIA failed to connect correctly and displayed the error "Aruba virtual adapter could not be configured." Scenario: This issue impacted clients running Windows 10, and occurred when VIA's attempt to configure an IP address on a virtual adapter took longer than 15 seconds, causing the operation to time out. |
There are no new features in this release .
Bug ID |
Description |
VIA-1976 |
Symptom: Domain Pre Connect (DPC) fails in VIA 3.2.3. Scenario: When the DPC feature is enabled on the connection profile, VIA tries to connect when the user logs out or restarts the machine. |
Bug ID |
Description |
137108 177232 |
Symptom: VIA authentication failed when there were certain extended Latin characters in the password. Scenario: If there were certain extended Latin characters (like é è ç ô) in the password, VIA authentication failed. Changes to ArubaOS 8.3 and VIA 3.2.3 resolve this issue. ArubaOS 8.3.x and later releases now provide a configuration option in the VIA authentication profile that allow you to configure the encoding format types. (Available types are UTF-8 or ANSI, and the default is UTF-8.) VIA 3.2.3 can extract the encoding format type received from the controller and convert client user credentials into the received encoding format type. |
174951 |
Symptom: The VIA client window popped up even when the user connected to a trusted network. Scenario: When a client connected to a trusted network, the VIA client popped up and stayed idle. When a client connects to an untrusted network, the expected behavior is that the VIA client shall connect and then minimize to the client's system tray. However, in a trusted network, since the VIA client does not connect as per design, it stays idle. Enhancements to VIA 3.2.3 allow the VIA client window to minimize to the client's system tray after it detects a trusted network. |
180822 |
Symptom: VIA 3.2.2 introduced an enhancement to ensure that all local subnet traffic to and from a client using full tunnel mode was securely routed through the VPN tunnel. However, this feature did not address the scenario where the client’s gateway IP address was same as the DHCP server's IP address. Scenario: Further improvements in VIA 3.2.3 ensures that all local subnet traffic to and from a client using full tunnel mode is securely routed through the VPN tunnel, even when the client’s gateway IP address is same as the DHCP server IP address. |
In the VIA Client GUI, the section of the tab displays additional information for certificates, and now indicates whether a certificate is in the machine certificate store and globally available to all users on the device.
The VIA 3.2.2 installer is enhanced with additional settings that allows a user to install and use both VIA 3.2.2 and ClearPass OnGuard 6.7.2 on a single client. This feature requires that both VIA and OnGuard be installed with a specific flag that allows them to coexist on a single device.
To use this feature, OnGuard must be installed by passing the
flag to the installer in the following format:ClearPassOnGuardInstall.exe /AllowBothVIAAndOnGuard=1
msiexec /i ClearPassOnGuardInstall.msi ALLOWBOTHVIAANDONGUARD=1
In addition, VIA must be installed with the flag in the following format:
msiexec /i Aruba-VIA-3.2.0.0.XXXXX-64(86).msi ALLOWBOTHVIAANDONGUARD=1
|
Both OnGuard and VIA must be installed with this flag in order for them to coexist on the same system. If either of them is installed without this flag, the other cannot be installed. |
There are no new known issues in this release.
The following issues are resolved in VIA 3.2.2
Bug ID |
Description |
176782 VIA-1673 |
VIA users to be disconnected. : The virtual adapter was incorrectly disabled at the end of the IKE rekey expiry interval, causingVIA 3.2.2. : This issue occurred when the IKE rekey process failed to complete properly. This issue is resolved in |
167475 43439 |
VIA VPN client attempted to send traceroute messages, the controller did not respond to traceroute diagnostics with the expected message. : When aVIA VPN, dropping packets with a TTL value equal to or lesser than 2. This issue and resolved by improvements to how VIA manages the TTL value of outgoing Encapsulating Security Payload (ESP) packets. : The issue occurred when a controller failed to properly handle packets with a lower time- to-live (TTL) value when processing them through a |
169506 41157 43847 |
VIA, VIA clients connected in full-tunnel mode could incorrectly send and receive traffic from the local default gateway or other devices in the same subnet as the default gateway. : In previous releases ofVIA 3.2.2 ensure that all local subnet traffic to and from a client using full-tunnel mode is securely routed through the VPN tunnel. : Improvements in |
169679 42555 |
Symptom: Clients were not able to authenticate to the network with VIA smart card authentication using a certificate with a PIN. Scenario: Improvements to VIA certificate selection resolves an issue identified in an earlier release of VIA, where clients were unable to authenticate to network using a smart card with a certificate and a PIN, causing the transaction to fail. |
172889 43675 |
VIA profile using RSA SecurID next token authentication, the profile failed to download. : When a client attempted to download aVIA 3.2.2 ensures that the VIA client sends the correct VIA authentication profile information during the connection attempt, ensuring that the correct authentication server and server group verifies the password generated by the RSA token. : Improvements in |
VIA-1694 |
Symptom: VIA failed to choose the previously chosen certificate for a connection created using a connection profile with Domain Pre-Connect (DPC) enabled. Scenario: If a client device with multiple certificates imported into the machine store downloaded a connection profile with DPC enabled, the certificate used by the device to create an initial connection might not be selected again if the user signed out and then signed in back again. |
VIA clients can now access resources over the tunnel that are in the same network addressing range as the local network in full tunnel mode. If a VIA client and another machine are connected to the same router, the second machine was preventing access to similar addressed devices in the enterprise. The change in application behavior now ensures all network access requests go through the tunnel mode setup.
There are no new known issues in this release.
Bug ID |
Description |
42862 |
VIA did not display an appropriate message when a new token is needed for authentication. :VIA 3.2.1, the GUI displays the following text message informing users about this issue: Wait for token to change, then enter the new token code. : If a user enters three consecutive incorrect passwords, the RSA token/DUO requires that the user enter the correct token code twice for authentication to succeed. Starting with |
169679 |
VIA Smartcard authentication fails to admit users with valid certificate and PIN credentials. VIA 3.2.0 when users attempted to sign in using Smartcard authentication. This issue was observed in |
Clients can import connection profiles offline by downloading an XML file containing a valid VIA connection profile.
To import a connection profile while offline, follow the steps below:
1. Navigate to https:/<ControllerIP>/via, and log in using your VIA credentials.
2. After successfully logging in, navigate to https:/<ControllerIP>/via/config?ikever=3.
3. Save the XML file returned by the controller to the following location:
%appdata%Aruba Networks\VIA\.
4. Rename the file as .
Upon startup, if the connection profile has not already been provisioned, VIA will load it from .
If Auto-login is enabled in the new profile, the device will automatically connect to VIA after installation is complete.
In versions prior to VIA 3.2.0, the client must provide their user credentials as part of the HTTPS communication with the controller in order to download a VIA profile. This feature allows clients to authenticate automatically when a valid certificate is presented to the controller with standard ssl/tls key exchange and certificate validation rules.
When a certificate-based profile is configured on a controller, VIA will attempt to authenticate the client certificate, while downloading the initial connection profile from the controller.
To enable certificate-based authentication for profile downloads, follow the steps below:
1. Navigate to .
2. From the menu, open the dropdown folder, then select the desired profile.
3. In the menu, select the checkbox for to enable this feature.
Once the profile is selected, VIA will show the certificate selection screen instead of the username/password screen.
In versions prior to VIA 3.2.0, a connection with the VPN can not be established if external port 443 is blocked. A VPN tunnel can be established for port 4500 when port 443 is blocked and allows the controller to failover to another configured controller if port 4500 is accessible.
When a VIA client attempts to download a profile using a certificate for authentication, VIA can be configured display only those certificates that an administrator allows that user to view.
To filter profile downloads by certificate, follow the steps below:
1. From a
2. Select the profile from the menu.
3. Enter the criteria for certificate filtering into the field.
When a user downloads the profile and initiates connection, only certificates that match the filtering criteria will be listed for authentication. If there is only one certificate available, the connection will be established automatically, without prompting the user to select a certificate.
This feature allows an administrator to preload the VIA Installer with preselected controller addresses. Upon installation, VIA will automatically display the list of controller addresses from which users can download their profile, freeing users from the task of manually entering in the information for the controller.
This feature allows an administrator to preload the VIA Installer with preselected controller addresses. Upon installation, VIA will automatically display the list of controller addresses from which users can download their profile, freeing users from the task of manually entering in the information for the controller.
To embed this profile information into your VIA installer package:
1. Download the build “ansetup64.msi” or “ansetup32.msi” from the Aruba support site to a temporary folder.
2. Create the file GatewayList.xml in the same temporary folder and populate that file with XML data in the format of following example
<?xml version="1.0"?>
<MultiProfileConfig Version="1">
<VPNServerList>
<VPNController>
<Name>Controller-ONE</Name>
<URL>10.17.12.12</URL>
<AuthProfile>IKEv2RSA</AuthProfile>
<Authtype>2</Authtype>
<CertFilteringCriteria>certificateIssuer=customer-1-WIN-XSHSQH1EKMR-CA</CertFilteringCriteria>
<CertAuthPort>8085</CertAuthPort>
</VPNController>
<VPNController>
<Name>Controller-TWO</Name>
<URL>10.17.14.3</URL>
</VPNController>
</VPNServerList>
</MultiProfileConfig>
3. Download the file from the Aruba support site into the same temporary folder as the previous files.
4. Install the NSIS (Nullsoft Scriptable Install System) tool to generate the custom executable file. The file “nsis-3.01-setup” can be downloaded from http://prdownloads.sourceforge.net/nsis/nsis-3.02.1-setup.exe?download.
5. Use the following command to generate the custom executable file
GenerateCustomVIAinstaller.bat Aruba-VIA-3.2.0.0.96992-64.msi GatewayList.xml
6. Using this example, an executable VIA installation file file with the name “Aruba-VIA-3.2.0.0.96992-64” is created in the same temporary folder.
7. When you run the executable installation file, the VIA UI will display VPN server entries with the controller name(s) configured using the <Name> parameter in the xml script in step 2. The user much select a controller and a controller certificate , then click .
8. If the user has a certificate which is not verified, a certificate warning will appear. (This is an expected behavior). In this case, the user must click in the warning message box before profile will be downloaded.
The VIA connection profile includes the new configuration setting that allows you to mark outgoing IKE and ESP packets with custom DSCP values. This parameter supports values between 0 to 63. When a VIA client downloads the connection-profile, this value will also get pushed. VIA will set the configured DSCP value to the outer IP header's ToS byte.
There are no new known issues in this release.
Bug ID |
Description |
37246 |
VIA: Clients were unable to use the following CLI commands to connect, disconnect, and exit fromconnect disconnect exit This issue was observed in all versions prior to 3.2. |
161832 |
VIA becomes stuck in the connection phase. During this time, the Connect/Disconnect button appears gray and is inactive when the user selects it. When a client attempts to login from a non-domain device,VIA 3.0.0. This issue was observed in |
159914 |
VIA after selecting a certificate during authentication. Clients running a 64-bit version of Windows 7 were randomly unable to connect toIn rare cases, the certificate selection prompt might reoccur until the window was closed. VIA 2.3.1. This issue was observed in |
156633 |
arubantsvc.exe while disconnected from VIA. Clients running Windows 7 or 10 experience random spikes in memory usage from the processVIA 3.1.0. This issue was observed in |
Client Certificate-based Authentication
Starting with VIA 3.1, users can authenticate and download VPN profiles using either client certificate-based authentication or the existing credential-based authentication. During certificate-based authentication, the client certificate is verified against the trusted CA certificates imported on the managed device. After the certificate is successfully validated, a user role is derived from the client-identity attributes on the certificate to fetch the corresponding VIA connection profile.
There are no new known issues in this release.
Bug ID |
Description |
152432 |
VIA was unable to download VPN profiles while connecting to a Dell controller image. VIA 2.3.4. This issue was observed in |
152428 |
VIA UI logs displayed the incorrect time format between the hours of 1200 and 1300. VIA 3.0.0. This issue was observed in |
155318 |
Domain Pre-Connect (DPC) failed to initiate when users rebooted or logged off their devices after establishing an IPsec connection. VIA 3.0.0. This issue was observed in |
157858 |
VIA crashed during VPN profile download. VIA 3.0.0 when users attempted to establish a VPN connection using a server URL (FQDN) on devices running Windows 7 or Windows 10. This issue was observed in |
User Interface
VIA 3.0.0 introduces a new User Interface (UI).
Bug ID |
Description |
36226 |
VIA app icon fails to change to the new VIA 3.0.0 app icon. The oldVIA and installing VIA 3.0.0 or upgrading from an older version of VIA to VIA 3.0.0. This issue is observed even after uninstalling an older version of |
36649 |
VIA window minimized feature fails to work in VIA 3.0.0. The keepcontroller. This is a limitation in VIA 3.0.0. This issue is observed even after enabling the parameter in theNone. |
37246 |
VIA 3.0.0 installer: The following CLI commands are not supported on the
VIA 3.0.0. This issue is observed inNone. |
38940 |
VIA 3.0.0. Proxy settings are not available inVIA 3.0.0. This issue is observed inVIA uses proxy settings from Internet Explorer to connect to the network. |
There are no new resolved issues in this release
The VIA GUI now contains a link to the worldwide HPE privacy statements.
t page of theThere are no new resolved issues in this release.
There are no new known issues in this release.
Support for Proxy Servers
VIA3.1.5 for macOS introduces support for HTTPS connections over web proxy servers. If VIA 3.1.5 detects that a web proxy is configured, VIA will not attempt to directly connect to the Internet and will access the network using the available web proxy server. This feature is available for VPN connections made either before the VPN is established (local proxies) or after the VPN is established (remote proxies).
|
VIA 3.1.5 does not support authenticated proxies that prompt for username/password credentials. VPNs using the feature will not use web proxies, as the traffic is not HTTPS encoded. |
There are no new resolved issues.
Bug ID |
Description |
VIA-2333 |
VIA from connecting when using personal identity verification (PIV) authentication. : Issues in MacOS 10.15 preventVIA 3.1.5 does not support authentication using a smart card on clients running macOS 10.15 Catalina. :VIA, but this issue does not impact clients using smart cards while running earlier versions of macOS. : Use pre-shared key (PSK) or certificated-based authentication. There is no workaround for this available in |
VIA-2360 |
VIA VPN is active on macOS : Local web proxy servers continue to be used when aVIA VPN. : When a web proxy server exists on the same subnet as VIA clients, the connection will continue to be used despite the activation of the |
Support for SSO-Based Authentication for VIA Profile Download
VIA 3.1.4 for macOS supports Security Assertion Markup Language (SAML) Single-Sign On (SSO), allowing VIA to manage VIA client access based on the attributes in the SAML response issued by the authenticating identity provider (IDP). When this feature is enabled and a VIA user submits a username and password through the VIA client, the VIA user is redirected to an external IDP for authentication. The Aruba controller then uses the attributes returned during the SAML assertion to derive the role and/or dynamic ACLs for that VIA client. The following new parameters have been added to the VIA authentication profile to enable this feature in ArubaOS 8.0.1.0-SP.
Parameter |
Description |
SSO based authentication for VIA Profile download |
Select this option to enable SSO-based authentication for clients downloading a VIA profile. This feature is disabled by default. |
Enabled SSO redirect URI and port |
Use this parameter to direct the request to a service provider URI. By default, ClearPass Policy Manager functions as the service provider for SAML, and can redirect the user to a ClearPass authentication page, or the authentication page of an external IDP. |
SSO ACL server host |
IP address or Fully Qualified Domain Name (FQDN) of the external ACL server. |
SSO ACL server configuration |
The ACL server configuration parameter requires the following information for the remote server: Server user name Server password Server URI Server Port |
New vendor settings have also been added to ClearPass Policy Manager to support this feature. Starting with ClearPass Policy Manager 6.7.5, the configuration includes the new vendor settings template . Once this is template configured and the IP address of the controller is added to the template, the client will always be authenticated will always against the SAML IDP configured in ClearPass Policy Manager. After authentication, the following parameters are sent to <controller>/via/sso.
sso_user – username entered by the user in the SAML IDP
sso_cookie – SSO cookie
Bug ID |
Description |
VIA-2105 VIA-2086 192777 |
VIA did not display an appropriate message when a new token is needed for authentication. :VIA 3.1.4, the GUI displays the following text message informing users about this issue: Wait for token to change, then enter the new token code. : If a user enters three consecutive incorrect passwords, the RSA token requires that the user enter the correct token code twice for authentication to succeed. Starting with |
There are no new known issues.
Support for macOS Mojave (10.14)
VIA 3.1.3 Mac® Edition supports devices running macOS Mojave (10.14). The Apple VPN framework requirements for this macOS release requires that Mac devices update to VIA 3.1.3 Mac® Edition by downloading the VIA application directly from the Apple App store. Client devices are no longer be able to download and install an updated VIA release through the controller, and the and settings in the VIA connection profile do not apply to this release.
|
Client devices that are not connected to the internet or are unable to connect to the Apple App store will not able to upgrade to this latest version of VIA for macOS. The application has been renamed from Aruba Virtual Intranet Access to Aruba VIA and will appear under this name in the Apple App store and in the applications list once installed on the client. |
Upgrading From an Older VIA Release to VIA 3.1.3 Mac Edition
To upgrade a Mac client from an earlier release of VIA for Mac to VIA 3.1.3 Mac Edition:
1. Uninstall the earlier version of VIA for Mac.
a. Exit the VIA application.
b. Navigate to and select .
c. Right click the icon and select to uninstall VIA.
2. Download the VIA 3.1.3 Mac Edition installation package from the Apple App store.
3. Launch the VIA 3.1.3 Mac Edition installation process to install this latest version of VIA for macOS.
4. The configuration profile used by the older version of VIA for Mac is automatically available for VIA 3.1.3 for macOS. The configuration profile used by the older version of VIA for Mac is automatically available for VIA 3.1.3 for macOS. A privacy policy message appears during the installation process. Click .
5. If the option is enabled, a message appears asking if the user wants to add the VPN configuration. Select the option to continue and complete the connection process.
Installing VIA on a Client with no Existing VIA Software
To install VIA 3.1.3 Mac® Edition on a client that does not have any VIA client currently installed:
1. Download the VIA 3.1.3 Mac Edition installation package from the Apple App store.
2. Launch the VIA 3.1.3 Mac Edition installation process to install this latest version of VIA for macOS.
3. Download the profile and connect.
|
VIA 3.1.1 for macOS and earlier releases are not supported on macOS 10.14 and are prevented from completing a VPN connection. Users with clients running macOS 10.14 should uninstall VIA 3.1.1 for macOS and install VIA 3.1.3 for macOS as described in the section above to allow VIA to work on 10.14. |
Downgrading to an Earlier Version of VIA
Downgrading from VIA 3.1.3 for macOS to earlier versions of VIA is not recommended. If you install a downgraded version of VIA, you will see two VIA icons and two VIA GUIs on your client. To complete the downgrade, to uninstall the older version of VIA as described in Upgrading From an Older VIA Release to VIA 3.1.3 Mac Edition.
Bug ID |
Description |
174023 |
Local DNS resolution does not work when using split-tunnel VPNs on devices running macOS. VIA 3.1.3 supports local DNS resolution only if Internal domains are added to the DNS suffix list in the VIA connection profile. : Internal software changes have resolved this issue, but |
Two-factor Authentication Using a Smart Card
VIA 3.1.1 Mac® Edition supports two-factor authentication using a smart card that requires a user to submit a unique token and a PIN. The smart card certificate can also be used to download a certificate-based VIA profile. To use a smart card with VIA 3.1.1:
1. Install the software drivers for the smart card on the Mac OS X client.
2. Use the smart card software utility to install certificates onto the smart card. VIA does not support certificate import to the smart card.
3. Download a certificate-based VIA authentication profile on the Mac OS X client.
4. Open VIA and click .
5. The certificate dialogue lists the certificates on the smart card along in addition to the other certificates in the login and system stores.
6. When VIA displays the message , enter the smart card PIN then click .
Bug ID |
Description |
174023 |
Local DNS resolution does not work when using split-tunnel VPNs on devices running macOS. VIA for macOS 3.1.0 or later releases, users may be unable to resolve DNS entries on the local network. After upgrading to: None |
Bug ID |
Description |
43498 |
VIA clients running OS X with the language set to Turkish can now use VIA to connect to the network. :Internal enhancements resolve an issue identified in previous releases that could prevent OS X Turkish language clients from connecting. |
34634 |
VIA clients can properly reconnect to a network using a profile with MSCHAPv2 authentication and the option enabled. VIA to connect to the network, VIA attempted to use the saved password, and authentication failed. An issue is resolved that prevented a client from reconnecting when the client used a MSCHAPv2 profile with the option enabled and the client's login password was changed on the RADIUS server. The next time the client used |
32882 |
VIA connection profile can now be disabled. : The setting in theArubaOS VIA connection profile supports a setting of , which disables this feature. This feature is supported by ArubaOS 6.5.x and ArubaOS 8.x. : The parameter in the |
32699 |
VIA 3.1.1 resolves an issue that could cause VIA to stop responding if an invalid certificate was selected. :VIA 3.1.1 displays an error message and allows the user to select a different, valid certificate, but does not stop responding. : If a user selects an invalid certificate, |
VIA clients can now access resources over the tunnel that are in the same network addressing range as the local network in full tunnel mode. If a VIA client and another machine are connected to the same router, the second machine was preventing access to similar addressed devices in the enterprise. The change in application behavior now ensures all network access requests go through the tunnel mode setup.
Bug ID |
Description |
174023 |
Local DNS resolution does not work when using split-tunnel VPNs on devices running macOS. VIA for macOS 3.1.0, users may be unable to resolve DNS entries on the local network. After upgrading to: None |
Bug ID |
Description |
39606 |
VIA client crashed on macOS after the server information is changed from the initial domain to an IP address of a VIA connection profile. AVIA 3.1.0. This issue was resolved in |
There are no new features in VIA 3.0.2.
Bug ID |
Description |
149813 |
VIA. Users are unable to access the Intranet after the VPN connection is established onVIA 3.0.1 when split tunneling is enabled on the VIA connection profile used to establish the VPN connection. This issue is observed in Mac devices withNone. |
Bug ID |
Description |
150163 |
VIA UI displayed an incorrect remote server hostname for each VIA connection profile when multiple connection profiles were configured. VIA used the configuration information of one controller for all network adapters. This issue is resolved by ensuring the configuration information is retrieved from the controller selected for the connection. Scenario: This issue was observed in VIA 3.0.0 on devices using Mac OS X El Capitan and macOS Sierra. The Network tab of the |
There are no new features in VIA 3.0.1.
Bug ID |
Description |
35554 |
VIA profile gets deleted after upgrading Mac OS X from 10.11.5 to 10.11.6. VIA profile is stored in a temporary location. Mac OS X uses an OS API to retrieve the VIA profile post the upgrade, but returns empty. During Mac OS X upgrade, theVIA profile. Reboot the system multiple times after upgrade. This sometimes makes the API return proper details, hence recovering the |
Bug ID |
Description |
34558 |
VIA obtained an old profile. This issue is resolved by deleting the backup copy of the old VPN configuration files from the temporary folder after VIA installation is successful. VIA. This issue was observed in Mac clients running VIA 3.0.0. This issue was observed after uninstalling and reinstalling |
34035 139483 |
VIA continuously requested for administrative credentials. This issue is resolved by adding a VPN service which runs as daemon(root) and handles all VPN configuration modification requests from VIA client. VIA 3.0.0. This issue was observed when the password was changed for a downloaded profile on a non admin user. This issue was observed in Mac machines with |
34009 |
VIA requested for credentials on every connection although save password was enabled. The fix ensures that VIA retrieves the saved password successfully and connects automatically. VIA 3.0.0. This issue was observed when the user changed the credentials for the profile under use. This issue was observed in Mac machines with |
33880 |
VIA process was high even when there was no traffic passing through the tunnel. This issue is resolved by VIA checking whether the application needs VPN status update or not. For example, if VIA is running in the background or minimized then, updating the VIA UI is not required. CPU usage of theVIA UI was updated even when VIA was minimized. This issue was observed in Mac machines with VIA 3.0.0. This issue was observed when |
VIA supports automatic upgrade and downgrade. When a new version of VIA is available on the server, VIA automatically initiates upgrade/downgrade after disconnecting the VPN.
|
You cannot downgrade from VIA 3.0.0 to any version of VIA 2.x. This feature is only available on |
Network administrators can enable the controller to prevent profile setting changes on the VIA client. When this knob is enabled, users cannot clear profiles or edit any settings on the tab, including the server and authentication profile.
knob on the
|
This feature is not available on iOS devices. |
In earlier versions of VIA, users could only send logs to the network administrator. Now users can modify or add to the email recipients list for sending logs.
The VIA on Mac OS devices.
is used to uninstallis located at
|
The VIA uninstaller application is only available on macOS devices. |
VIA 3.0.0 introduces an updated User Interface (UI).
Bug ID |
Description |
28221 |
VIA 2.0.4.0 UI failed to respond when the button was clicked while downloading a profile. This issue is resolved in VIA 3.0.0. VIA 2.0.4.0. This issue was observed occasionally in Mac OS X with |
28391 |
VIA connection was established. This issue is resolved with the new VIA 3.0.0 UI. The / fields were blank althoughVIA 2.0.3.0 on Mac OS X clients. This issue occurred intermittently on |
29454 |
VIA client did not update the new profile. This issue is resolved by implementing internal code changes. When there was a role mismatch, theVIA 2.0.3.0 and 2.0.4.0. This issue was observed when the server or the Active Directory set a different role than the initial role. The client profile failed to get updated with the new profile according to the new role. This issue was observed in |
29473 |
VIA failed to connect with SHA1-160 for hash in IKE crypto map. This issue is resolved by implementing internal code changes. VIA 2.0.4.0. This issue was observed in Mac OS X with |
30217 |
VIA failed to attach the log file. This issue is resolved by implementing internal code changes. When button was clicked,VIA 2.0.4.0. This issue was observed in Mac OS X 10.11 clients with |
30672 |
VIA failed to establish VPN connection with IKEv1 certificate authentication. This issue is resolved by implementing internal code changes. VIA 2.0.4.0. This issue was observed when client certificate had multiple intermediate CA. This issue was observed in |
31131 |
VIA failed to respond. This issue is resolved by implementing internal code changes. This issue was observed when VIA 2.0.4.0 was detecting network after the Mac OS X machine woke up from sleep mode. |
The VIA GUI now contains a link to the worldwide HPE privacy statements.
t page of theThere are no new known issues in VIA 3.1.1 for Linux.
Bug ID |
Description |
VIA-2374 |
VIA deployments with controllers running ArubaOS 8.2.x, setting a VIA Message of the Day (MotD) banner with more than 1247 characters could prevent Linux clients from downloading the VIA profile. InVIA profile. Clients that had already downloaded the profile were able to properly connect despite the large banner message file. The issue only impacted Linux clients trying to download a |
VIA-2359 |
VIA command-line interface. : Logon/logoff scripts failed to work properly on clients connecting using theVIA clients connectiong through the VIA GUI. This issue is resolved in VIAfor Linux 3.1.1. : In previous releases, logon/logoff scripts could only work properly on |
VIA 3.1.0 for Linux introduces support for Ubuntu 18.04 LTS, replacing Ubuntu 12.04 LTS, which was supported in previous releases of VIA 3.x for Linux, but is not supported in VIA 3.1.0 for Linux. Before you install or upgrade to VIA 3.1.0 for Linux, the following packages must be installed on the client device:
libqtcore4
libqtgui4
libgnome-keyring0
These packages are available for download from packages.ubuntu.com, and can be installed on the device using the command . When you first install or upgrade to VIA 3.1.0 for Linux, the application does not start automatically, and must be opened manually by selecting the VIA application link on the desktop. If the warning message appears, select the option.
The VIA tray icon and context menu is not supported in this release. To display the application main window, use a desktop shortcut or click the application icon in the left dashboard menu.
VIA 3.1.0 for Android introduces a new security enhancement that displays the date and time of the previous VIA login for that client each time the VIA client is successfully connected. This information appears on the Home screen, as well as the Settings > Network window in the VIA Client GUI.
Figure 2 Home screen Tab Showing Previous Login Information
The command VIA command-line interface to display session status in a machine-readable (json) format. The VIA command-line interface is useful for viewing status information on a headless machine which does not support a graphical user interface.
is added to theWhen a client running VIA 3.1.0 for Linux attempts to download a profile using a certificate for authentication, VIA can be configured display only those certificates that an administrator allows that user to view. To filter profile downloads by certificate, follow the steps below:
1. From a
2. Select the profile from the menu.
3. Enter the criteria for certificate filtering into the field.
When a user downloads the profile and initiates connection, only certificates that match the filtering criteria will be listed for authentication. If there is only one certificate available, the connection will be established automatically, without prompting the user to select a certificate.
There are no new known issues in VIA 3.1.0 for Linux.
There are no new resolved issues in VIA 3.1.0 for Linux.
VIA 3.0.1 introduces support for CentOS 7 and Red Hat Enterprise Linux (RHEL) 7.
VIA 3.0.1 introduces support for smart card authentication. Smart cards provide two-factor authentication for IKEv1 Cert, IKEv2 Cert, and IKEv2 EAP-TLS using a certificate and PIN number.
To establish a VPN connection using a smart card:
1. Configure the smart card device with a Public-Key Cryptography Standards (PKCS) library using the standard procedure, and then configure the PKCS module path in the file as follows:
<cryptoki_lib_path>:
#cat /usr/share/via/via_config.xml
<via_config_profile>
...
<cryptoki_lib_path>/usr/lib/ libeTPkcs11.so</cryptoki_lib_path>
...
</via_config_profile>
2. Launch VIA and download a certificate-based VPN connection profile.
3. Plug the card reader into your device.
4. Click the VPN connection status ring on the VIA home screen to connect VIA.
5. Navigate to the tab.
6. The list of available certificates, including certificates from the smart card, is displayed.
7. Select the certificate, and then click .
8. Enter the smart card PIN number when prompted to .
9. Click . The VPN connection is established.
There are no new known issues in VIA 3.1.0 for Linux.
There are no new resolved issues in VIA 3.1.0 for Linux.
VIA 3.0.0 introduces a new User Interface (UI).
VIA 3.0.0 introduces the support for Ubuntu 16.04.
VIA 3.0.0 introduces the connection failover feature. If a profile has more than one connection profile and the primary controller fails, this triggers a failover to the secondary controller.
VIA 3.0.0 introduces the auto-config feature, which allows a user to saves configuration settings in a configuration file that VIA can use to establish an IPsec session. A copy of the configuration file template, is available in the folder. A user can copy this file template to a local folder and modify the settings as required.
Once the configuration file (VIA looks for the configuration file in the current folder. If the configuration file is not found, the VIA looks for it in . If the downloaded profile is marked as auto connect, VIA attempts to connect and uses the configuration file for any inputs.
) is ready, use the < > command to load the configuration. If < is not specified,The following table lists the parameters in VIA configuration file:
Parameter |
Description |
Input Type |
---|---|---|
ProfileGateway |
IP address or host name of the server from which, VIA downloads the profiles |
String |
ProfileUsername |
Username for authentication to download the profile |
String |
ProfilePassword |
Password for authentication to download the profile |
String |
ProfileAuthenticationProfile |
VIA authentication profile to select if there are multiple profiles |
String |
ProfileIgnoreWarning |
Ignores any HTTPS warnings while downloading the profile if set to yes [Y] |
Char [Y/N] |
CertificateStoreKey |
Certificate store key is used when importing certificates |
String |
CertificateDeleteAll |
Deletes all existing certificates before importing new certificates |
Char [Y/N] |
CertificateImportPrivate |
Imports a given or certificate and certificate encryption key separated with comma. Appened multiple entries separated by semicolon. |
String |
CertificateImportPublic |
Imports a given or certificate. Appened multiple entries separated by semicolon. |
String |
AuthUsername |
Username for XAUTH or MSCHAPv2 |
String |
AuthPassword |
Password for XAUTH or MSCHAPv2 |
String |
AuthPIN |
Used if the certificate is enclosed with a subsystem that uses PIN (for example: smartcards) |
4-digits numeric |
AuthCertificateSubject |
Identifies the certificate to be used for authentication
|
String |
AuthConnect |
Connects after profile download when set to yes [Y] |
Char [Y/N] |
RouteEnable |
Enables client side routing when set to yes [Y] |
Char [Y/N] |
RouteNetworks |
IP address of the subnets. Appened multiple IP addresses separated by semicolon. |
- |
Ensure the IKEv2 Configuration Payload Support for VIA Clients feature is enabled in the controller running ArubaOS 6.5 or later. This feature has been implemented in the following two topologies:
This section describes the prerequisites and procedure to setup. The following figure shows a simple setup for VIA gateway:
Figure 3 Simple Setup for VIA Gateway
Prerequisites
Linux Client machine running Ubuntu 12.04/14.04/16.04 , CentOS 6, or RHEL 6
Controller running ArubaOS 6.5 or later
The IKEv2 configuration payload support for VIA clients (CFG_SET) feature is enabled in the controller. Refer to ArubaOS 6.5.x User Guide for more details.
|
CFG_SET is supported only on ArubaOS 6.5 or later |
Procedure
1. In the controller, configure IKEv2 VIA profile.
2. Install VIA 3.0.0 on the Linux machine.
3. In the controller, enable VIA subnet routes by running the command.
4. Use either VIA configuration file (see VIA Release Notes) or manual operations to install and connect to VIA.
5. Disconnect VIA using the command.
6. Set the routable networks using one of the following ways:
If you are using the auto configuration file, update the configuration file and set
and also set the appropriately. Force load the configuration using the command.If you are connecting VIA using UI, update the and add and values. Connect to VIA.
7. VIA sends an INFORMATIONAL-CFG_SET with given subnets, as shown below:
Aug 14 17:44:42.686 [VPN INFO config_loader():config_loader.c:152] Loading cached configuratin file /usr/share/via/via-updated.conf
Aug 14 17:44:42.686 [VPN INFO config_loader_load_subnets():config_loader.c:253] Route Networks(0):192.168.1.0 (108736)
Aug 14 17:44:42.686 [VPN INFO config_loader_load_subnets():config_loader.c:253] Route Networks(1):255.255.255.0(16777215)
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] I -->
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] CFG_SET
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] IP4_SUBNET(192.168.1.0 /255.255.255.0)
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] spi={cb37cdce891b8db5 26f868cf9efd78ce} np=E{CP}
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] exchange=INFORMATIONAL msgid=2 len=96
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] #SEND 100 bytes to 10.10.2.184[4500] (37.278)
8. Controller replies with an INFORMATIONAL-CFG_ACK, as shown below:
Aug 14 17:44:42.890 [VPN DEBUG LOG_from_mocana():log.c:678]
Aug 14 17:44:42.890 [VPN DEBUG LOG_from_mocana():log.c:678] #RECV 100 bytes from 10.10.2.184[4500] at 10.0.2.15 (37.483)
Aug 14 17:44:42.890 [VPN DEBUG LOG_from_mocana():log.c:678] spi={cb37cdce891b8db5 26f868cf9efd78ce} np=E{CP}
Aug 14 17:44:42.890 [VPN DEBUG LOG_from_mocana():log.c:678] exchange=INFORMATIONAL msgid=2 len=96
Aug 14 17:44:42.891 [VPN DEBUG LOG_from_mocana():log.c:678] I <--
Aug 14 17:44:42.891 [VPN DEBUG LOG_from_mocana():log.c:678] CFG_ACK
Aug 14 17:44:42.891 [VPN DEBUG LOG_from_mocana():log.c:678] IP4_SUBNET(192.168.1.0 /255.255.255.0)
Aug 14 17:44:42.891 [VPN DEBUG ike_cfg_response():ike_cfg.c:297] Ingoring Subnet config
Aug 14 17:44:42.891 [VPN DEBUG ike_cfg_response():ike_cfg.c:311] Recieved Acknowledgement for CFG_SET
9. In the client machine, Add an extra iIP address to one of the interfaces. And assign an ip address that is part of the subnet neing tunneled.
sudo ip addr add 192.168.1.1/24 dev eth0
10. From subnet, try reaching the internal VLAN of the controller. In the following example 172.16.31.1 is internal IP of the controller.
ping 172.16.31.1 -I 192.168.1.1
If a reply is received, setup is successful.
This section describes the prerequisites and procedure to setup using virtual machines. The following figure shows a setup using virtual machines for VIA gateway:
Figure 4 Setup using Virtual Machines for VIA Gateway
Prerequisites
Virtual Machine Host (Windows or Linux machine) for hosting at least 2 virtual machines
Two Virtual Machines
VIA-VM: Virtual machine with Linux running Ubuntu 12.04/14.04/16.04 , CentOS 6 or RHEL 6. Headless configuration (install minimal or server image)
Win-VM: Windows machine.
Controller running ArubaOS 6.5 or later
The IKEv2 configuration payload support for VIA clients (CFG_SET) feature is enabled in the controller. Refer to the ArubaOS 6.5.x User Guide for more details.
Procedure
1. In the controller, configure IKEv2 VIA profile.
2. Install two virtual machines as described in the VIA Release Notes section above.
a. Configure network such that VIA-VM has two interfaces, as shown below:
eth0: NAT or bridge to ensure internet connectivity (set to DHCP if the setup environment allows).
eth1: Internal network (no NAT or bridge) to create a private network. Set to static IP 192.168.1.1/24.
b. Configure network such that Windows-VM has one interface that has one adapter. Set the adapter to Internal network (no NAT or Bridge) with either static or dhcp ip in the range of 192.168.1.2-250 with 192.168.1.1 as default gateway.
c. Start both the VMs.
d. Ensure VIA-VM can connect to internet.
e. Ensure Win-VM can connect to the VIA-VM on both interfaces (eth1:192.168.1.1, eth0:other ip assigned by DHCP). Enable routing in VIA-VM ( ). Check to see if the Win-VM can reach the eth0 address of VIA-VM. Restart VIA-VM, if needed.
3. Install VIA 3.0.0 on the Linux machine.
4. Use the VIA configuration file to install certificates and connect to VIA (see VIA Release Notes).
5. Disconnect VIA using the command.
6. Set the routable networks by updating the configuration file. In the config file, set RouteEnable=Y and also set the appropriately. Force load the configuration using the command.
7. VIA sends an INFORMATIONAL-CFG_SET with given subnets, as shown below:
Aug 14 17:44:42.686 [VPN INFO config_loader():config_loader.c:152] Loading cached configuratin file /usr/share/via/via-updated.conf
Aug 14 17:44:42.686 [VPN INFO config_loader_load_subnets():config_loader.c:253] Route Networks(0):192.168.1.0 (108736)
Aug 14 17:44:42.686 [VPN INFO config_loader_load_subnets():config_loader.c:253] Route Networks(1):255.255.255.0(16777215)
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] I -->
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] CFG_SET
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] IP4_SUBNET(192.168.1.0 /255.255.255.0)
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] spi={cb37cdce891b8db5 26f868cf9efd78ce} np=E{CP}
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] exchange=INFORMATIONAL msgid=2 len=96
Aug 14 17:44:42.686 [VPN DEBUG LOG_from_mocana():log.c:678] #SEND 100 bytes to 10.10.2.184[4500] (37.278)
8. Controller replies with an INFORMATIONAL-CFG_ACK, as shown below:
Aug 14 17:44:42.890 [VPN DEBUG LOG_from_mocana():log.c:678]
Aug 14 17:44:42.890 [VPN DEBUG LOG_from_mocana():log.c:678] #RECV 100 bytes from 10.10.2.184[4500] at 10.0.2.15 (37.483)
Aug 14 17:44:42.890 [VPN DEBUG LOG_from_mocana():log.c:678] spi={cb37cdce891b8db5 26f868cf9efd78ce} np=E{CP}
Aug 14 17:44:42.890 [VPN DEBUG LOG_from_mocana():log.c:678] exchange=INFORMATIONAL msgid=2 len=96
Aug 14 17:44:42.891 [VPN DEBUG LOG_from_mocana():log.c:678] I <--
Aug 14 17:44:42.891 [VPN DEBUG LOG_from_mocana():log.c:678] CFG_ACK
Aug 14 17:44:42.891 [VPN DEBUG LOG_from_mocana():log.c:678] IP4_SUBNET(192.168.1.0 /255.255.255.0)
Aug 14 17:44:42.891 [VPN DEBUG ike_cfg_response():ike_cfg.c:297] Ingoring Subnet config
Aug 14 17:44:42.891 [VPN DEBUG ike_cfg_response():ike_cfg.c:311] Recieved Acknowledgement for CFG_SET
9. From Win-VM, try reaching the internal VLAN of the controller. In the example, 172.16.31.1 is the internal IP of the controller.
10. Ping 172.16.31.1.
If a reply is received, setup is successful.
There are no new known issues in VIA 3.0.0.
Bug ID |
Description |
142369 |
VIA was installed, the network manager GUI no longer started. This issue is resolved by adjusting build scripts to statically link to the required utility functions. AfterThe issue occurred due to runtime non-availability of a dynamic library. |
The VIA GUI now contains a link to the worldwide HPE privacy statements.
t page of theThere are no new resolved issues in this release.
Bug ID |
Description |
VIA-2400 |
: VIA will stop responding after startup on Chromebooks using Intel CPUs. VIA on a Chromebook should download and install the VIA 3.1.4 for Android release manually to prevent this issue. : Clients running |
There are no new features in this release.
Bug ID |
Description |
VIA-2134 |
VIA fails to connect, and displays the message “Aruba VIA keeps stopping” after it downloads the VIA profile. :VIA connects properly after the profile downloads. : Internal changes to the VIA software ensure that |
There are no new known issues in this release.
Support for SSO-Based Authentication for VIA Profile Download
VIA 3.1.3 for Android supports Security Assertion Markup Language (SAML) Single-Sign On (SSO), allowing VIA to manage VIA client access based on the attributes in the SAML response issued by the authenticating identity provider (IDP). When this feature is enabled and a VIA user submit a username and password through the VIA client, the VIA user is redirected to an external IDP for authentication. The Aruba controller then uses the attributes returned during the SAML assertion to derive the role and/or dynamic ACLs for that VIA client. The following new parameters have been added to the VIA authentication profile to enable this feature in ArubaOS 8.0.1.0-SP.
Parameter |
Description |
SSO based authentication for VIA Profile download |
Select this option to enable SSO-based authentication for clients downloading a VIA profile. This feature is disabled by default. |
Enabled SSO redirect URI and port |
Use this parameter to direct the request to a service provider URI. By default, ClearPass Policy Manager functions as the service provider for SAML, and can redirect the user to a ClearPass authentication page, or the authentication page of an external IDP. |
SSO ACL server host |
IP address or Fully Qualified Domain Name (FQDN) of the external ACL server. |
SSO ACL server configuration |
The ACL server configuration parameter requires the following information for the remote server: Server user name Server password Server URI Server Port |
New vendor settings have also been added to ClearPass Policy Manager to support this feature. Starting with ClearPass Policy Manager 6.7.5, the Web Logins configuration includes the new vendor settings template ClearPass Policy Manager. After authentication, the following parameters are sent to <controller>/via/sso.
. Once this is template configured and the IP address of the controller is added to the template, the client will always be authenticated will always against the SAML IDP configured insso_user – username entered by the user in the SAML IDP
sso_cookie – SSO cookie
There are no new resolved issues in this release.
There are no new known issues in this release.
VIA 3.1.2 introduces support for the following IKEv1 VPN tunnel configuration, which can be defined using the pages of the ArubaOS 8.x WebUI, or the pages of the ArubaOS 6.5.x WebUI.
IKE Policy Settings:
Encryption:
Hash Algorithm:
Authentication:
Diffie Hellman Group:
IKEv1 IPSec Dynamic Map Settings:
PFS group:
Transform hash :
Previous releases of VIA did not support SHA2-384 hash algorithms in IKEv1 when a GCM transform has was also used.
Bug ID |
Description |
VIA-2089
|
: VIA fails to connect on devices running Android 9 (Pie) when Voice over LTE (VoLTE) is enabled. : Internal changes to the VIA software ensure the proper IP address is chosen for the VPN connection. |
There are no new Known issues in this release.
There are no new Known issues in this release.
There are no new Known issues in this release.
Support for AppConfig-Compliant EMM providers
AppConfig is a standard supported by many Enterprise Mobility Management (EMM) and Mobile Device Management (MDM) systems for secure application configuration and management. VIA 3.1 for Android supports these AppConfig standards for pushing the VIA application configuration to mobile devices by introducing support for the following AppConfig settings:
Key | Value |
---|---|
vpn_server |
The IP address or FQDN of the VPN server |
web_auth_profile_name |
The name of a VIA Web Authentication profile the VIA client uses to download the VIA connection profile |
vpn_whitelist_apps |
A comma-separated list of the package names of applications which are allowed to use the VIA VPN tunnel. If you use this AppConfig setting to define an application whitelist, only those applications on this whitelist will be allowed to use the VIA VPN. |
|
This feature is only supported on devices running Android 5.0 or later and the "Android for Work" environment. |
Whitelist for Apps Allowed to Use the VPN
You can use AppConfig to create a whitelist of applications that are allowed to use the VIA VPN, and push this whitelist to devices running Android 5.0 or later and using the "Android for Work" environment and an EMM/MDM system that supports the AppConfig standard. Add apps to the whitelist by adding them to the vpn_whitelist_apps AppConfig configuration key described in Table 33.
VIA Client Displays Last Logon Date
VIA 3.1 for Android introduces a new security enhancement that displays the date and time of the previous VIA login for that client each time the VIA client is successfully connected. This information appears on the Home screen, as well as the Settings > Network window in the VIA Client GUI. If VIA is running in minimized mode, (either because it is configured to always be minimized or it has been minimized by the user) and VIA appears as a system tray icon, the previous logon date and time appears as a popup balloon message above the system tray once the VIA connection is complete.
Figure 6 Home screen and Network Tab Showing Previous Login Information
Configurable MTU settings
The VIA Client MTU parameter in the VIA connection Profile is now available for both Windows and Android clients. VIA automatically calculates the optimal MTU value for the virtual adapter based on the physical network interface on the client device. In situations where this optimal value may not be desired, enabling this feature allows the administrator to change the MTU value used by VIA.
VIA compares the VIA-calculated MTU and the MTU value defined by the VIA Client MTU parameter, and uses the lesser MTU value. For example, if the VIA-calculated MTU value is 1300 and the configured MTU value is 1452, VIA uses the lower calculated value 1300. This feature can be use to allow an Android client to process and ACK packets even with low TCP windows size on the web server.
Use the following procedure to configure the VIA Client MTU value on a Controller running ArubaOS 6.5.1 or later.
1. Navigate to the L3 Authentication page in the controller or Mobility Master WebUI.
On a standalone controller running ArubaOS 8.x or in the Mobility Master, navigate to > , then click the tab.
hierarchy onOn a controller running ArubaOS 6.5.x, navigate to Configuration > Security > Authentication then click the L3 Authentication tab.
2. Select VIA Connection. A list of VIA connection profiles appears.
3. Select the VIA connection profile you which to configure.
4. In the VIA Client mtu value field, enter a value between 576 and 5120. The default setting is 1452.
5. Save your settings.
On a standalone controller running ArubaOS 8.x, or in the Mobility Master, click select , then open the window and click .
hierarchy onOn a controller running ArubaOS 6.5.x, click Apply.
Bug ID |
Description |
VIA-1802
|
VIA displayed the error This app was built for older version of Android and may not work properly. : Earlier releases ofResolution: VIA 3.1.0 for Android introduces an updated SDK targeting Android 4.2 or later, preventing the error message required by Google when users tried to install an app using an older SDK. |
There are no new Known issues in this release.
There are no new features in VIA 3.0.5.
There are no new known issues in VIA 3.0.5.
Bug ID |
Description |
41710 |
VIA log files were not generated. :: A user was not able to generate log files on clients running Android 8.0 (Oreo). VIA 3.0.5 allow VIA to correctly generate log files on clients running Android 8.0 (Oreo). : Enhancements in |
175205 |
VIA failed to correctly select a certificate for a failover connection. :VIA profile with certificate-based authentication and was also configured to use the "Keep-On" Knox connection method, if the device failed over from a primary controller to a backup controller, VIA failed to choose the certificate during the failover process. : In an Android Knox environment where a device used aVIA 3.0.5 allow VIA to select the previously chosen certificate for a failover connection. : Enhancements in |
VIA-1750 |
VIA through the Management API. : Users can't connect toVIA connection then switched to any other VPN application, that user was unable connect to VIA again using the Management API. : If a user established aVIA 3.0.5 resolves a permission issue where VIA could lose permissions after a device operating system grants permissions to another VPN application. The issue is still seen in Android 5.0 (Lollipop) because of an Android OS limitation which requires the user to grant permissions each time the user switches between VPN applications. |
In previous versions of VIA, the client must provide their user credentials as part of the https communication with the controller in order to download a VIA.profile. This feature allows the client to authenticate automatically when a valid certificate is presented to the controller with standard ssl/tls key exchange and certificate validation rules.
When a certificate-based profile is configured on a controller, VIA will attempt to authenticate the client certificate, while downloading the initial connection profile from the controller.
If the controller requires a role to be assigned to the user, the client's identity can be authenticated using the appropriate certificate. This can be accomplished through the following:
Email ID from the SubjectAltName extension (2.5.29.17)
Email address OID (1.2.840.113549.1.9.1
Subject containing E= attribute (2.5.29.14)
Issued to Name (in absence of email address) (2.5.19.17)
The VIA connection profile includes the new configuration setting that allows you to mark outgoing IKE and ESP packets with custom DSCP values. This parameter supports values between 0 to 63. When a VIA client downloads the connection-profile, this value will also get pushed. VIA will set the configured DSCP value to the outer IP header's ToS byte.
Please note this feature is supported in ArubaOS 6.5.4 and onward, however, it is unavailable for ArubaOS 8.x versions.
There are no new known issues in VIA 3.0.4.
Bug ID |
Description |
169708 |
VIA 3.0.3 for Android. : Android devices managed by the MaaS360® Mobile Device Management app were unable to download updated VIA VPN Profiles withVIA 3.0.4 increased compatibility with older management APIs, resolving this issue. : Enhancements in |
26293 |
VIA was unable to establish certificate -based tunnels if the client certificate was chained. AndroidVIA releases prior to 3.0.3. This issue was observed in all |
There are no new features in VIA 3.0.3.
Bug ID |
Description |
27292 |
VIA fails to connect. VIA 2.2.6 or later, or after upgrading to VIA 2.2.6 when previous versions of VIA or any other VPN client are already installed and connected. This issue is specific to the Android 5.0 operating system and occurs after installingVIA 2.3.1 or later, or after upgrading VIA. Restart the Android 5.0 device after installing |
41413 |
VIA profiles when using a chain certificate. Clients are unable to downloadVIA 3.0.1 and 3.0.3. When clients attempt to download a VIA profile using a chain certificate, the download will fail. This issue is present inThe chain certificate may still be used to connect to VIA. |
Bug ID |
Description |
26293 |
VIA was unable to establish certificate-based tunnels if the client certificate was chained. AndroidVIA releases prior to 3.0.3 and is resolved in VIA for Android 3.0.3. This issue was observed in all |
The login banner feature allows you to display a static warning message that provides information related to corporate policies or terms and conditions of using VIA. The login banner is displayed when the VIA connection is initiated and contains the and buttons. The VIA connection is processed only if the user clicks . If the user clicks , the warning message closes, and the VIA connection is aborted.
To upload a login banner for VIA:
1. Navigate to in the controller WebUI.
2. Under the section, click to locate and select the login banner file.
3. Click .
VIA 3.0.2 introduces support for sideloaded VPN connection profiles in Samsung Knox™ environments. If an admin user sideloads a VPN connection profile to VIA and then provisions a Samsung Knox™ profile, VIA gives preference to the sideloaded VPN connection profile. When the VPN connection is triggered, VIA connects using the sideloaded profile.
To sideload a VPN connection profile to VIA:
1. Login to .
2. After successful login, go to . The controller returns a VPN connection profile xml file.
3. Save the xml file as .
4. Place the file in the root directory of the Android file system.
5. Launch VIA. If a VPN connection profile has not yet been provisioned on VIA, VIA loads the connection profile from the file.
There are no new known issues in VIA 3.0.2.
Bug ID |
Description |
34254 |
VIA automatically reconnected after reaching the maximum session timeout. VIA 3.0.0. and is resolved in VIA for Android 3.0.2. This issue was observed in |
36315 |
VIA UI was updated with the assigned network IP address. When users connected to a trusted network, the on the tab of theVIA 3.0.0 when users connected to a trusted network and is resolved in VIA for Android 3.0.2. This issue was observed in |
There are no new features in VIA 3.0.1.
Bug ID |
Description |
135653 |
VIA connections with IKEv1 certificates fail when the certificate chain is used. controller does not have the complete certificate chain configured as a trusted CA, but individual certificates in the chain are configured as trusted CAs, the VIA connection fails with IKEv1 certificates. This issue is observed in Android devices in VIA 2.3.1. If thecontroller, configure the complete certificate chain of the intermediate CA as an ISAKMP CA certificate. On the |
27292 |
VIA fails to connect. VIA 2.2.6 or later, or after upgrading to VIA 2.2.6 when previous versions of VIA or any other VPN client are already installed and connected. This issue is specific to the Android 5.0 operating system and occurs after installingVIA 2.3.1 or later, or after upgrading VIA. Restart the Android 5.0 device after installing |
Bug ID |
Description |
36314 |
The application was vulnerable to MITM attacks. VIA 3.0.0 and earlier during the profile download process. This issue occurred when there were multiple SSL sessions during profile download and a trust check was only performed for the first session, and is resolved in VIA for Android 3.0.1. This issue was observed in Android devices in |
36677 |
VIA was unable to failover to a backup controller if port 443 was blocked. This issue is resolved by skipping controller reachability checks on port 443 during failover. Instead, VIA initiates an IPsec session directly with the controller. If the controller becomes unreachable, IKE negotiation fails with a timeout period of five seconds for the first UDP packet reply. VIA 3.0.0 when port 443 was blocked, and is resolved in VIA for Android 3.0.1. This issue was observed in Android devices in |
151428 |
VIA application crashed when users attempted to connect in the absence of network connectivity. TheVIA 3.0.0 when clients used the fully qualified domain name (FQDN) of a controller to download a VPN profile. This issue was observed in Android devices in |
The Android side-loading feature allows users to save configuration settings in a configuration file that VIA can refer to when attempting to establish a VIA connection.
To obtain the configuration file:
1. Navigate to
2. Enter your VIA user login credentials to log in to Mobility Master.
3. After successfully login in, change the URL to
4. Save the xml returned by
To add the configuration file to Android devices, copy the VIA does not have a profile already provisioned on the device, VIA will load the connection profile data from the file.
file to the root directory of the file system on the Android device(s) that should use this feature. On startup, ifNetwork administrators can enable the controller to prevent profile setting changes on the VIA client. When this knob is enabled, users cannot clear profiles or edit any settings on the tab, including the server and authentication profile.
knob on theVIA 3.0.0 introduces support for Samsung Knox™ to enhance security and provide mobile device management (MDM) integration. This feature includes:
Implementation of the Knox VPN service and APIs. Refer to the Samsung Knox™ Vendor Integration Guide for more details.
Automatic VIA profile provisioning in a Knox/MDM-controlled environment.
Use of a generic Knox VPN framework to setup IPSec VPN tunnels.
Support for dual IPSec tunnels. VIA can be used as an outer or inner tunnel in a dual tunnel environment.
Support for IPSec VPN tunnels inside the Knox container.
|
VIA supports Knox features on Samsung Android devices with Knox 2.2 and onwards. |
VIA 3.0.0 introduces a new User Interface (UI).
Bug ID |
Description |
135653 |
VIA connections with IKEv1 certificates fail when the certificate chain is used. controller does not have the complete certificate chain configured as a trusted CA, but individual certificates in the chain are configured as trusted CAs, the VIA connection fails with IKEv1 certificates. This issue is observed in Android devices in VIA 2.3.1. If thecontroller, configure the complete certificate chain of the intermediate CA as an ISAKMP CA certificate. On the |
27292 |
VIA fails to connect. VIA 2.2.6 or later, or after upgrading to VIA 2.2.6 when previous versions of VIA or any other VPN client are already installed and connected. This issue is specific to the Android 5.0 operating system and occurs after installingVIA 2.3.1 or later, or after upgrading VIA. Restart the Android 5.0 device after installing |
Bug ID |
Description |
33924 |
The application crashed on Android devices if the configured VPN profile contained multiple IKE authentication profiles. VIA 2.4.0, and is resolved in VIA for Android 3.0.0. This issue was observed in Android devices in |
34236 |
VIA connection failed if the server certificate used for the VPN connection included a street name and postal code. Certificate-basedVIA 2.3.1, and is resolved in VIA for Android 3.0.0. This issue was observed in Android devices in |
35028 |
VIA failed to connect when devices moved in and out of their Wi-Fi or LTE coverage areas. VIA 2.4.0, and is resolved in VIA for Android 3.0.0. This issue was observed in Android devices in |
The VIA GUI now contains a link to the worldwide HPE privacy statements.
t page of the
Bug ID |
Description |
N/A |
: VPN clients crash after 15-30 seconds after updating to iOS 13.0 or 13.1. This issue is caused by a bug in the Apple iOS 13, iOS 13.1, and iPadOS 13 releases. Apple has indicated that the solution to the issue will be released in the iOS13.2 release. : If allowed by your carrier, disable the Voice over LTE (VoLTE) functionality to allow the VPN client to operate with greater stability. |
Bug ID |
Description |
VIA-2211 |
VIA in a deployment with an Aruba Controller running ArubaOS 8.2.2.3-FIPS using Suite-B and ECDSA–384. iOS clients were unable to connect toEnhanced support for multi-chain and intermediate certificates in .pfx format has resolved this issue for users following these guidelines: The intermediate certificate should be on the VIA key chain. Intermediate and root certificates should be in DER encoded format. The root and intermediate certificates should be installed separately. Bundled certificates are not supported . The .pfx user certificate should be on VIA key chain. Root can be on either VIA or the device keychain. |
VIA-2330 |
VIA when those certificates were sent in an email. : iOS devices running iOS version 13.1 were unable to install certfiicates toVIA certificate installation process has resolved this issue. : Enhancements to the |
There are no new features in this release.
There are no new known issues in this release
Bug ID |
Description |
VIA-2266 |
The Virtual Intranet Agent for iOS GUI could fail to display certificates pushed using a Mobile Device Management (MDM) solution. Improvements to how certificates are pushed to the client certificate store using MDM has resolved this issue in Virtual Intranet Agent for iOS 3.0.6. |
Support for SSO-Based Authentication for VIA Profile Download
VIA 3.0.5 for iOS supports Security Assertion Markup Language (SAML) Single-Sign On (SSO), allowing VIA to manage VIA client access based on the attributes in the SAML response issued by the authenticating identity provider (IDP). When this feature is enabled and a VIA user submit a username and password through the VIA client, the VIA user is redirected to an external IDP for authentication. The Aruba controller then uses the attributes returned during the SAML assertion to derive the role and/or dynamic ACLs for that VIA client. The following new parameters have been added to the VIA authentication profile to enable this feature in ArubaOS 8.0.1.0-SP.
Parameter |
Description |
SSO based authentication for VIA Profile download |
Select this option to enable SSO-based authentication for clients downloading a VIA profile. This feature is disabled by default. |
Enabled SSO redirect URI and port |
Use this parameter to direct the request to a service provider URI. By default, ClearPass Policy Manager functions as the service provider for SAML, and can redirect the user to a ClearPass authentication page, or the authentication page of an external IDP. |
SSO ACL server host |
IP address or Fully Qualified Domain Name (FQDN) of the external ACL server. |
SSO ACL server configuration |
The ACL server configuration parameter requires the following information for the remote server: Server user name Server password Server URI Server Port |
New vendor settings have also been added to ClearPass Policy Manager to support this feature. Starting with ClearPass Policy Manager 6.7.5, the Web Logins configuration includes the new vendor settings template
. Once this is template configured and the IP address of the controller is added to the template, the client will always be authenticated will always against the SAML IDP configured in CPPM. After authentication, the following parameters are sent to <controller>/via/sso.sso_user – username entered by the user in the SAML IDP
sso_cookie – SSO cookie
Bug ID |
Description |
VIA-2266 |
The Virtual Intranet Agent for iOS GUI failed to display certificates pushed using a Mobile Device Management (MDM) solution. Clients running Virtual Intranet Agent for iOS 3.0.5 that do not see certificates pushed using MDM should download certificates directly from a URL or an email. |
There are no new resolved issues in this release.
Enhanced Certificate Support for Clients running iOS 12
Aruba Virtual Intranet Agent 3.0.4 for iOS introduces enhanced support for security certificates that simplify the certificate import process for clients running iOS version 12. These enhancements are in response to Apple's updated VPN framework in iOS 12. As part of their change, Apple removed access to the certificate store from VIA, requiring VIA users to manually import certificates.
With Aruba Virtual Intranet Agent 3.0.4, users with iOS devices are able to configure and use certificate-based VPNs without needing to be connected to an internal or protected network. Certificates can be pushed to these devices through an MDM/EMM solution, and iOS clients can also download certificates from an authenticated website or an email attachment.
To download a certificate from an email and install it on an iOS device:
1. Open the email from your network administrator, and select the attached certificate. The iOS Share menu opens.
2. Click the Aruba VIA icon to open the certificate with Aruba Virtual Intranet Agent 3.0.4.
Figure 7 Opening a Certificate with the iOS Share Menu
3. Enter the certificate password, then click .
Figure 8 Importing a Certificate from an Email
To configure your AirWatch MDM solution to push certificates to your iOS devices, use the following VPN settings.
1. In the field, enter .
2. In the field, enter .
3. In the field, select .
Bug ID |
Description |
VIA-2157 |
VIA clients fail to establish a VPN connection when using an Elliptic Curve (EC) certificate deployed by MDM/EMM solutions. : VIA clients will display the error message "Unable to import certificate due to an incorrect password, Do you want to try again?" when attempting to connect after deploying certificates from an MDM solution Aruba recommends that customers using MDM deploy RSA certificates until this issue is resolved. Clients requiring EC certificates should import the certificate from an email or web page to manually enter the EC certificate password. : |
Bug ID |
Description |
VIA-2106 |
Aruba Virtual Intranet Agent 3.0.3, when the feature would not automatically initiate a connection, requiring users to manually launch a VIA connection from a iOS client. When enabled, the option on the page of the iOS client failed to connect. This issue was observed inVIA automatically connects clients when they are using an external network and then attempt to connect to a internal domain (as defined in the parameter of the VIA Connection profile on the controller). |
VIA-2121 |
Aruba Virtual Intranet Agent 3.0.3 were unable to pass traffic when the client came out of sleep mode. : iOS clients usingAruba Virtual Agent 3.0.4 resolve this issue by ensuring VIA clients that enter and then exit sleep mode receive updated L2TP addresses once the IPsec Security Associations (SA) is reestablished. : Internal changes in |
Support for iOS 12
Aruba Virtual Intranet Agent 3.0.3 for iOS introduces Network Extension framework changes that allow Aruba Virtual Intranet Access for iOS to work on clients running iOS version 12. With the introduction of the new Network Extension framework, Aruba Virtual Intranet Access requires that all the certificates needed for the connection be available in the VIA certificate store.
Starting with Aruba Virtual Intranet Agent 3.0.3 for iOS, all certificates must be downloaded using the Certificate Downloader feature. When you attempt to establish a VPN connection, you can select currently available certificates in the VPN Authentication window , or click the + icon and download certificates by entering the certificate URL and password.
Figure 10 Download a Certificate
You can delete a certificate after you download your user profile and the certificate list is presented in the VPN Authentication window. Select and then swipe left on the certificate to be deleted to display the Delete option. Click the Delete option to remove the certificate.
Figure 11 Deleting a Certificate from the Certificate Store
This version of the application also supports iOS versions 9 and above (including iOS version 12).
|
This version of Aruba Virtual Intranet Access does not work with 32-bit devices. For an older version of this application go to https://itunes.apple.com/us/app/aruba-networks-via/id481378525?mt=8 (or search for "Aruba Networks VIA" in the app store.) |
iOS 12 Security Requirements Impacting VIA for iOS
iOS 12 introduces a change in security requirements that impacts server certificate validation on an iOS 12 device. iOS 12 enables the App Transport Security (ATS) Apple security standard, which enforces the following security requirements for communication between a server and client running Aruba Virtual Intranet Agent 3.0.3 for iOS and iOS 12.
1. A user must sign in with one of the key types:
An RSA key of at least 2048 bits
An ECC key of at least 256 bits
2. The certificate’s hashing algorithm must be SHA-2 with a digest length (also known as a fingerprint) of at least 256, that is, using SHA-256 or greater.
3. The X.509 digital server certificate must meet at least one of the following trust requirements:
Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
Issued by a trusted root CA and installed by the user or a system administrator
4. The negotiated Transport Layer Security (TLS) version must be TLS 1.2.
5. The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support Perfect Forward Secrecy (PFS) through a Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
There are no new known issues in Aruba Virtual Intranet Agent 3.0.3.
There are no new resolved issues in Aruba Virtual Intranet Agent 3.0.3.
There are no new features in VIA 3.0.2.
There are no new known issues in VIA 3.0.2.
Bug ID |
Description |
149813 |
VIA is connected, the user is unable to access the intranet (internal network). The user is unable to access internet on iOS devices even after the VPN tunnel is established. In this case, even whenVIA 3.0.1, and is resolved in VIA 3.0.2. This issue was observed in |
158247 |
VIA client crashes after changing the server information from a domain to the IP address of a VIA profile. VIA 3.0.1, and is resolved in VIA 3.0.2. his issue was observed in |
151991 |
IKE negotiation fails on iPhone and iPad devices every 20 - 30 minutes, causing intermittent tunnel disconnection. VIA 3.0.1, and is resolved in VIA 3.0.2. his issue was observed in |
VIA 3.0.1 introduces a new User Interface (UI).
This feature enables the client to automatically log in and establish a secure connection to the controller as soon as the connection profile is downloaded on the iOS device. This feature works even after restarting the iOS device.
The login banner feature allows you to display a static VIA connection to your users. This login banner or the window is displayed when the VIA connection is initiated. The window contains and buttons. The VIA connection is processed only if the user clicks the button. The button will close the information window and abort the VIA connection.
window that provides information related to your corporate policies or terms and conditions of using theTo upload the VIA login banner, perform the following steps:
1. Navigate to > > > .
2. In the section, click .
3. Browse to the location of the VIA login banner file and select it. Click .
There are no new known issues in VIA 3.0.1.
Bug ID |
Description |
30687 |
VIA UI shows the status as disconnected although tunnel is present. This issue is observed in VIA 2.1.5 or later versions when multiple connection profiles are configured. VIA. The fix ensures that the correct status is shown in |
30233 |
VIA UI directed the user to the add certificate page. This issue was observed when the user tried to connect to an EC based connection profile. The issue was observed in VIA 2.1.5 or later. TheVIA GUI. This issue is resolved after implementing an updated |
30250 |
VIA failed to allow users to connect to an EC based profile and displayed the error. This issue was observed when there were no certificate installed in the device certificate store. The issue was observed in VIA 2.1.5. This issue is resolved by implementing changes to the internal code and by implementing an updated GUI. |
30685 |
VIA UI displayed inconsistent profiles on the authentication profile page. Incorrect details of the connection profiles were displayed on the VIA UI. This issue was observed in iOS devices with VIA 2.1.5. TheThis issue is resolved after implementing an updated GUI. |
30686 |
VIA 2.1.7, in the tab, the values of and toggled. This issue was observed in iOS devices with VIA 2.1.7. InVIA 3.0.1 GUI. The fix ensures that this issue does not occur in the |
30688 |
VIA displayed after VIA was closed and relaunched although VPN was connected. This issue was observed when VIA still showed the tunnel on trusted network although VIA was relaunched using an untrusted network. VIA 3.0.1 GUI. The fix ensures that this issue does not occur in the |
30690 |
VIA UI failed to respond when navigating to other tabs. This issue was observed when the downloaded profile has multiple connection profiles. This issue was observed in iOS devices with VIA 2.1.5.The fix ensures that this issue does not occur in VIA 3.0.1 GUI. VIA 3.0.1 GUI. The fix ensures that this issue does not occur in |
31511 |
VIA continuously tried to connect and failed with the error in the UI. In the controller logs, the error is seen. This issue was observed when a profile mapped to the IKEv2 policy used SHA1- 96 HASH algorithm in the controller’s connection profile settings. This issue was specific to controllers running ArubaOS 6.3.x or earlier version. This issue is resolved by implementing internal code changes. |
31978 |
VIA failed to establish tunnel if ClearPass Policy Manager (CPPM) was used as the AAA server. This issue was observed when the user used EAP-TLS with CPPM server as the RADIUS server and iOS client devices running VIA 2.1.5. VIA 3.0.1. The fix ensures that this issue does not occur in |
Was this information helpful?
Great! Thanks for the feedback
Sorry about that! How can we improve it? Send your comments and suggestions!