Configuring VIA Settings in ArubaOS 8.x
Use the following steps to configure your controller for VIA. VIA can be configured using the WebUI or CLI. These steps are described in detail in the following subsections:
Perform the following steps to configure VIA using the WebUI.
|
Certain features are not available in every platform. Refer to “Features Supported in VIA” on page 1 to view the list of features that are supported for each platform. |
To configure a pre-shared key for VIA:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Click to expand that section.
3. Click at the bottom of the table.
4. Under , enter the and . Use the default value of if you are only using one pre-shared key.
5. Select the format in which your pre-shared key is displayed from the drop-down list.
6. Enter your pre-shared key, and then retype the key to confirm.
7. Click .
8. Select .
9. In the window, select the check box and click .
To upload certificates for VIA:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Click to expand that section.
3. Click at the bottom of the table. The page opens.
4. Enter a .
5. Click to locate and select a certificate from your local file explorer.
6. (Optional) Enter a passphrase, and then retype the passphrase to confirm.
7. Select the format of the certificate from the drop-down list.
8. Select or from the drop-down list.
9. Click .
10. Select .
11. In the window, select the check box and click .
|
VIA allows use of certificates stored in smart cards for Windows and Linux devices. |
|
Both server certificates and trusted CAs (VIA. ) must be uploaded for |
|
For Linux devices, VIA can request certificates from a CA server using either the HTTP or SCEP protocol. |
To select a server certificate for certificate-based authentication:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Click to expand that section.
3. Select a server certificate from the drop-down list.
4. Click .
5. Click to expand that section.
6. Under the table, click and select a CA certificate from the drop-down list.
7. (Optional) Under the table, click and select a and from the respective drop-down lists.
8. Click .
9. Select .
10. In the window, select the check box and click .
ArubaOS allows you to connect to VIA using the default user roles. However, you must install the Policy Enforcement Firewall Virtual Private Network (PEFV) license in order to configure and assign specific user roles. Refer to the ArubaMobility MasterLicensing Guide for more information on licenses.
To install a license:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to .
2. Under the tab, click to add a new license. The window opens.
3. Enter the license key(s) in the text box.
4. Click .
VIA user roles contain access control policies for users connecting to the network through VIA. You can configure different VIA roles or use the default VIA role default-via-role.
To create a VIA user role:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > Roles & Policies > .
2. Click at the bottom of the table to add a new user role. The window opens.
3. Enter a name for the role.
4. Click .
5. Select .
6. In the window, select the check box and click .
7. Select the new role from the table.
8. Click at the bottom of the table. The window opens.
9. Select or under , and then click .
10. Under , configure the parameters listed in Table 1.
Parameter |
Description |
IP version |
Internet Protocol version:
|
Source |
The traffic source: : Network alias : Any traffic source : Single host IP address : All local IP addresses in the system : IP address and netmask : IP address of the user |
Destination |
The traffic destination: : Network alias : Any traffic source : Single host IP address : All local IP addresses in the system : IP address and netmask : IP address of the user |
Scope |
Scope of the rule:
For application rules only. |
Service/app |
The service or application to which this rule applies: : IP protocol : Any service or application : Network service : TCP port : UDP port For access control rules only. |
Action |
Denies or permits access to the network through VIA. |
TOS |
The 8-bit TOS/DSCP/ECN field in the IP header. |
Time range |
Time range for the rule. Click at the bottom of the drop-down list to add a new time range.Hover your mouse over an existing time range to edit or delete that time range. Click to use the default time range. |
802.1p priority |
802.1p priority level of the rule. |
Options |
Enables or disables additional options for the rule: : Generates a log message each time the rule is applied. : Mirrors all session packets to the destination. : Blacklists users matching the rule. : Disables ARM scanning while traffic is present. |
Parameter |
Description |
IP version |
Internet Protocol version:
|
Source |
The traffic source: : Network alias : Any traffic source : Single host IP address : All local IP addresses in the system : IP address and netmask : IP address of the user |
Destination |
The traffic destination: : Network alias : Any traffic source : Single host IP address : All local IP addresses in the system : IP address and netmask : IP address of the user |
Scope |
Scope of the rule:
For application rules only. |
Service/app |
The service or application to which this rule applies: : IP protocol : Any service or application : Network service : TCP port : UDP port For access control rules only. |
Action |
Denies or permits access to the network through VIA. |
TOS |
The 8-bit TOS/DSCP/ECN field in the IP header. |
Time range |
Time range for the rule. Click at the bottom of the drop-down list to add a new time range.Hover your mouse over an existing time range to edit or delete that time range. Click to use the default time range. |
802.1p priority |
802.1p priority level of the rule. |
Options |
Enables or disables additional options for the rule: : Generates a log message each time the rule is applied. : Mirrors all session packets to the destination. : Blacklists users matching the rule. : Disables ARM scanning while traffic is present. |
11. Click .
12. Select .
13. In the window, select the check box and click .
For more information on user roles, refer to the latest ArubaOS 8.x.x.x User Guide.
VIA authentication profiles contain server groups for authenticating VIA users. The server group contains the list of authentication servers and server rules to derive user roles, based on the user authentication. You can configure multiple VIA authentication profiles and/or use the default VIA authentication profile created in the Internal server group.
To create an authentication profile:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Select from the list.
3. Under , click to add a new authentication profile.
4. Configure the parameters listed in Table 3. Note that not all parameters available in ArubaOS 8.3 or later releases may be available in earlier versions of ArubaOS 8.x.
5. Click .
6. Select .
7. In the window, select the check box and click .
To modify an existing authentication profile:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Expand from the list.
3. Select an existing VIA authentication profile.
4. Modify the profile settings under .
5. Click .
6. Select .
7. In the window, select the check box and click .
To change the server group for an authentication profile:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Expand from the list.
3. Expand the VIA authentication profile.
4. Click under the selected authentication profile.
5. Under , select a different server group from the drop-down list.
6. (Optional) To enable authentication fail through and load balancing, select the check boxes for and .
7. Click .
8. Select .
9. In the window, select the check box and click .
To add a new server group:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Click at the bottom of the table. The window opens.
3. Enter a name for the new server group.
4. Click .
5. Select the server from the Server Groups table.
6. Modify the , , and as necessary. See the Authentication Servers chapter in the latest ArubaOS 8.x.x.x User Guide for more details on modifying server groups.
7. Click .
8. Select .
9. In the window, select the check box and click .
VIA connection profiles contain settings required by VIA to establish a secure connection to a standalone controller or a Mobility Mastermanaged device. VIA connection profiles are always associated to a user role, and all users belonging to that associated role use the configured settings. If you do not assign a VIA connection profile to a user role, the default connection profile is used. Multiple connection profiles can be configured.
|
After establishing a connection to a standalone controller or a managed device ,VIA sends heartbeat/keep-alive messages every 15 seconds. |
|
In Windows devices, VIA is functional with proxy settings configured in the system, but connection profiles with proxy settings cannot be downloaded. |
To create a VIA connection profile:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Select from the list.
3. Under , click to add a new VIA connection profile.
Figure 1 Creating a VIA Connection Profile
4. Enter a .
5. Configure the remaining profile settings listed in Table 4.
|
Certain settings are not available in every platform. Refer to “Features Supported in VIA” on page 1 to view the list of features that are supported for each platform. |
Configuration Option |
Description |
VIA Servers |
Enter the following information about a standalone controller. Controller Hostname/IP Address: This is the public IP address or the DNS hostname of the VIAcontroller. Users will connect to remote server using this IP address or the hostname. Controller Internal IP Address: This is the IP address of any of the VLAN interface IP addresses belongs to this controller. Controller Description: This is a human-readable description of the controller. Click the controller you order them by clicking the Up and Down arrows. button after you have entered all the details. If you have more than oneTo delete a controller from your list, select a controller and click the button. |
Client Auto-Login |
Enables or disables automatic login on VIA client and establishes a secure connection to the managed device as soon as the connection profile is downloaded. This option is applicable even after restarting the device. Default: Enabled |
VIA Authentication Profiles to provision: |
Select an authentication profile to add a VIA authentication profile for IKE/IPsec authentication. If you have multiple VIA authentication profiles, you can re-order them by changing their position in the list. |
Allow client to auto-upgrade |
Enables or disables automatic upgrade for VIA client when an updated version is available. This feature is enabled by default. Changes to the Apple VPN framework starting with macOS Mojave (10.14) prevent this feature from working with VIA for MacOS 3.1.3 or later VIA for MacOS releases. |
VIA tunneled networks |
A list of network destinations (IP addresses and netmasks) that the VIA client will tunnel through the controller. All other network destinations will be reachable directly by the VIA client. Enter an IP address and network mask and click to add to the tunneled networks list.To delete a network entry, select the IP address and click . |
Enable split-tunneling |
Enable or disable split tunneling. If enabled, all traffic to the VIA tunneled networks will go through the controller and the rest is just bridged directly on the client. If disabled, all traffic will flow through the controller. Default: off |
VIA Client WLAN Profiles |
A VIA client WLAN profile must be pushed to client machines that use Windows Zero Config (WZC) to configure or manage their wireless networks. Click at the bottom of the table, select a WLAN profile from the drop-down list, then click OK |
Allow client-side logging |
Enable or disable client side logging. If enabled, VIA client will collect logs that can be sent to the support email-address for troubleshooting. Default: Enabled |
VIA IKE V2 Policy |
List of available IKEv2 policies. |
VIA IKE Policy |
List of IKE policies that the VIA Client has to use to connect to the controller. These IKE policies are configured under > > > > . |
Use Windows Credentials |
Enable or disable the use of the Windows credentials to login to VIA . If enabled, the SSO (Single Sign-on) feature can be utilized by remote users to connect to internal resources. Default: Enabled |
Use L2 Forwarding |
When this feature is enabled and the VIA client has made a VPN connection to the controller, the VIA client will activate its internal virtual-hardware L2 adapter. The traffic generated by this adapter will then be routed to the controller for processing, allowing the VIA client to send GRE packets containing Ethernet frames using the IPSec tunnel already established with the controller. GRE packets received from the IPSec tunnel are then processed and forwarded according to the L2 routing rules on the controller. All L2 packets destined (as per client MAC address) to the VIA client are also processed and encapsulated in a GRE packet over the IPSec tunnel. is disabled by default. This feature is introduced in ArubaOS 8.4. Best practices is to avoid enabling the option and the feature at the same time. The L2 forwarding feature will impact the behavior of the split tunneling feature, so devices using both these features simultaneously will operate in a mode more like full tunnel than split tunnel. But this is not a known issue, but an effect of the design of these features. |
Enable IKEv2 |
Select this option to enable or disable the use of IKEv2 policies for VIA. |
Use Suite B Cryptography |
Select this option to use Suite B cryptography methods. You must install the advanced cryptography license to use the Suite B cryptography. |
IKEv2 Authentication method |
List of all IKEv2 authentication methods. |
VIA IPSec V2 Crypto Map |
List of all IPsec V2 that the VIA client uses to connect to the controller. |
VIA IPSec Crypto Map |
List of IPsec Crypto Map that the VIA client uses to connect to the controller. These IPsec Crypto Maps are configured in CLI using the command . |
Allow user to save Passwords |
Allow user to save the VIA password |
Enable Supplicant |
If enabled, VIA starts in bSec mode using L2 suite-b cryptography. This option is disabled by default. |
Enable FIPS Module |
Enable the VIA (Federal Information Processing Standard) FIPS module so VIA checks for FIPS compliance during startup. This option is disabled by default. |
Auto-Launch Supplicant |
Select this option to automatically connect to a configured WLAN network. |
Lockdown all Settings |
If enabled, all user options on the VIA client are disabled. |
Domain Suffix in VIA Authentication |
Enables a domain suffix on VIA authentication, so client credentials are sent as instead of just |
Enable Controllers Load Balance |
Enable this option to allow the VIA client to failover to the next available selected randomly from the list as configured in the VIA Servers option. If disabled, VIA will failover to the next in the sequence of ordered list of VIA servers. |
Enable Domain Preconnect |
Enable this option to allow users with lost or expired passwords to establish a VIA connection to corporate network. This option authenticates the user’s device and establishes a VIA connection that allows users to reset credentials and continue with corporate access. |
Enable Generating common profile if DPC is enabled: |
Enable this option to preprovision a VIA profile for new users. This feature is useful if multiple users on your network share the same system, because after the first user downloads the VPN connection profile, when subsequent users log in, those additional users do not have provide initial details like the VPN gateway address and user credentials |
VIA Banner Message Reappearance Timeout(minutes) |
The maximum time (minutes) allowed before the VIA login banner reappears. Default: 1440 min |
VIA Client Network Mask |
VIA client network mask, in dotted decimal format. |
Validate Server Certificate |
Enable or disable VIA from validating the server certificate presented by the controller. Default: Enabled |
VIA Client DNS Suffix List |
The DNS suffix list (comma separated) that has be set on the client once the VPN connection is established. Default: None. |
OCSP Cert verification enabled |
Enables or disables verification of certificates using the Online Certificate Status Protocol (OCSP). |
In EAP/IKE, action taken when OCSP Cert verification result is unknown |
The action taken when the revocation status of an OCSP certificate is unknown. |
VIA domain name profiles |
To select a domain name profile, click at the bottom of the table, and Enter the following information for the domain name:: Common name of the organization. : Name of the organization. : Organizational unit, such as a department. : Two letter ISO country code for the country in which the organization is located. |
Destination Traffic to be blocked: |
To block traffic for a specific destination or user, click at the bottom of the table and enter the following information:: IP address of the user or destination. : Network mask |
block-destination-traffic-selector(ON/OFF): |
Enable this option to block traffic to the selected destinations |
VIA max session timeout |
The maximum time (minutes) allowed before the VIA session is disconnected. Default: 1440 min |
VIA Logon Script |
Specify the name of the logon script that must be executed after VIA establishes a secure connection. The logon script must reside in the client computer. |
VIA Logoff Script |
Specify the name of the logoff script that must be executed after the VIA connection is disconnected. The logoff script must reside in the client computer. |
VIA Support Email Addresses | The support e-mail address to which VIA users will send client logs. |
Maximum reconnection attempts |
The maximum number of re-connection attempts by the VIA client due to authentication failures. Default: 3 |
VIA external download URL |
End users will use this URL to download VIA on their computers. changes to Apple VPN requirements for macOS Mojave (10.14) removes support for external download URLs for VIA 3.13 Mac® Edition. This release of VIA for MacOS must be downloaded directly from the Apple App Store. |
Allow user to disconnect VIA |
Enable or disable users to disconnect their VIA sessions. Default: on |
Content Security Gateway URL |
If split-tunnel forwarding is enabled, access to external (non-corporate) web sites will be verified by the specified content security service provider. |
Comma separated list of HTTP ports to be inspected (apart from default port 80) |
Traffic from the specified ports will be verified by the content security service provider. |
Certificate Criteria |
Allows admin users to filter the certificates that can be used to establish the IPsec connection when a user certificate or EAP-TLS is used as the authentication method. Use the following certificate attributes or OIDs to set the certificate criteria: (OID 2.5.4.3) (OID 2.5.4.11) (OID 2.5.4.10) (OID 2.5.29.17) (OID 2.5.29.29) (OID 1.3.6.1.4.1.311.20.2.3) (OID 1.2.840.113549.1.9.1) (OID 1.2.840.113549.1.9.20) The maximum length is 256 characters. Each attribute or OID must be separated by a semicolon. If an attribute or OID contains any spaces, the entire string must be enclosed in quotation marks. |
Enable Content Security Services |
Select this check box to enable content security service. You must install the Content Security Services licenses to use this option. |
VIA window minimized |
Enable this option to minimize the VIA client to system tray during the connection phase. Applicable to VIA client installed in computers running Microsoft Windows operating system. |
Block traffic until VPN tunnel is up |
If enabled, this feature will block network access until the VIA VPN connection is established. Note that VIA automatically adds exceptions for the following IP addresses: Default gateway DNS server DHCP server Controller's internal and external addresses Any local subnet that can be reached through a single hop Use the parameter in this profile to define a whitelist of IP addresses for which this setting will not apply (for example, a list of target IP addresses that should be allowed through to a captive portal). |
Block traffic rules |
Specify a hostname or IP address and network mask to define a whitelist of users to which the setting will not apply. |
Select the check box to configure user idle timeout value for this profile. Specify the idle timeout value for the client in seconds. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAA timers. If this is disabled, the global settings are used. |
|
VIA Client MTU value |
VIA calculates optimal MTU value for the virtual adapter based on the physical network interface on the client machine. But in some situations, this optimal value may not be desired. This feature allows the administrator to change the MTU value used by VIA. VIA compares the VIA-calculated MTU and configured MTU, and uses the lesser MTU value. For example, if the VIA-calculated MTU value is 1300 and the configured MTU value is 1452, VIA uses 1300. |
tos-dscp value |
This feature provides the ability to mark outgoing IKE and ESP packets with DSCP, values from 0 to 63. The VIA client will use this value it to mark the IP packets for both IKE (during tunnel creation) and ESP/IPSec (post-tunnel establishment), so packets receive appropriate QoS treatment by other/intermediate network devices between the client and the managed device or standalone controller. If this value is left to default setting (value of 0), the Windows VIA client copies the original DSCP marking of inner packet to outer packet, hence retaining the original QoS marking. This behavior can be considered as equivalent or greater than best effort service. On all other platforms (non-Windows), if this value is not explicit set other than 0, would mark the outer packet with DSCP of 0 (best effort). |
6. Click .
7. Select .
8. In the window, select the check box and click .
VIA connection profiles must be associated to a user role. Users can login by authenticating against the server group specified in the VIA authentication profile, after which they are placed into a user role. If the VIA configuration settings are derived from the VIA connection profile attached to the user role, the default VIA connection profile is used.
To associate a VIA connection profile to a user role:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > .
2. Select the VIA user role from the table (see Creating VIA User Roles for details on creating user roles).
3. Click .
4. Under the tab, click to expand that section.
Figure 2 Associating a VIA Connection Profile to a User Role
5. Select a VIA connection profile from the drop-down list.
6. Click .
7. Select .
8. In the window, select the check box and click .
VIA web authentication profiles contain an ordered list of VIA authentication profiles. The web authentication profile is used by end-users to login to the VIA download page (https://<server-IP-address>/via), where they can download the VIA client. Only one VIA web authentication profile is available. If more than one VIA authentication profile is configured, users can view this list and select a profile during client login.
To configure a VIA web authentication profile:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > .
2. Expand from the list, and click on the default profile.
|
You can have only one profile for VIA web authentication. |
3. Under , click at the bottom of the list.
Figure 3 Configuring the Default VIA Web Authentication Profile
4. Select a profile from the drop-down list, and then click .
5. Click .
6. Select .
7. In the window, select the check box and click .
If you have multiple VIA authentication profiles, you can re-order them by changing their . Click the icon to delete an authentication profile from the list.
You can push WLAN profiles to end-user computers that use the Microsoft Windows Wireless Zero Config (WZC) service to configure and maintain their wireless networks. After the WLAN profiles are pushed to the end-user computers, they are automatically displayed as an ordered list in the preferred networks. The VIA client WLAN profiles provisioned on the client can be selected from the VIA connection profile described in “Creating VIA User Roles” on page 1.
To configure a VIA client WLAN profile:
1. IOn a standalone controller or in the hierarchy on Mobility Master, navigate to > System > .
2. Expand from the list.
3. Select the VIA profile
4. Under , click to add a new WLAN profile.
5. Enter a .
6. Configure the profile settings listed in Table 5.
Parameter |
Description |
EAP Type |
EAP type used by clients to connect to the wireless network. Default: EAP-PEAP |
Inner EAP Type |
Inner EAP type. |
EAP-PEAP options |
If you are using EAP-PEAP (Protected EAP), you can select the following options to connect to the network: : Validates the server certificate. : Allows fast reconnect. : Performs quarantine checks. : Disconnects if server does not present cryptobinding TLV. : Disables user prompts for authorizing new servers or trusted certification authorities. |
EAP-Certificate Options |
If you are using EAP-certificate, you can select the following options to connect to the network: Uses a smart card. Uses a certificate on the user's computer or a simple certificate selection method (recommended). Uses a different user name for the connection (and not the CN on the certificate). Validates the server certificate. |
Inner EAP Authentication options: |
If you are using Innter EAP authentication, you can select the following options to connect to the network: Uses the Windows logon name and password (and domain if any). Uses a smart card. Uses a certificate on the user's computer or a simple certificate selection method (recommended). Uses a different user name for the connection (and not the CN on the certificate). Validates the server certificate. |
Automatically connect when this WLAN is in range |
If enabled, this option allows WZC (Microsoft Windows Wireless Zero Config tool) to connect when the network (SSID) is available. Default: Enabled |
EAP-PEAP: Connect only to these servers |
List of servers to which users can connect with EAP-PEAP, separated by commas. |
Enable IEEE 802.1x authentication for this network |
If selected, this option enables 802.1x authentication for the network. Default: Enabled |
EAP-Certificate: Connect only to these servers |
List of servers to which users can connect with an EAP certificate, separated by commas. |
Authenticate as computer when computer info is available |
Select this option when computer information is available. If enabled, the client performs computer authentication during login. |
Inner EAP-Certificate: Connect only to these servers |
List of servers to which users can connect with an inner EAP certificate, separate by commas. |
Authenticate as guest when computer or user info is unavailable |
Select this option when computer or user information is not available. If enabled, the client authenticates as a guest during login. |
Connect even if this WLAN is not broadcasting |
Allows VIA to connect, even if the WLAN is not broadcasted. Default: Disabled |
Parameter |
Description |
EAP Type |
EAP type used by clients to connect to the wireless network. Default: EAP-PEAP |
Inner EAP Type |
Inner EAP type. |
EAP-PEAP options |
If you are using EAP-PEAP (Protected EAP), you can select the following options to connect to the network: : Validates the server certificate. : Allows fast reconnect. : Performs quarantine checks. : Disconnects if server does not present cryptobinding TLV. : Disables user prompts for authorizing new servers or trusted certification authorities. |
EAP-Certificate Options |
If you are using EAP-certificate, you can select the following options to connect to the network: Uses a smart card. Uses a certificate on the user's computer or a simple certificate selection method (recommended). Uses a different user name for the connection (and not the CN on the certificate). Validates the server certificate. |
Inner EAP Authentication options: |
If you are using Innter EAP authentication, you can select the following options to connect to the network: Uses the Windows logon name and password (and domain if any). Uses a smart card. Uses a certificate on the user's computer or a simple certificate selection method (recommended). Uses a different user name for the connection (and not the CN on the certificate). Validates the server certificate. |
Automatically connect when this WLAN is in range |
If enabled, this option allows WZC (Microsoft Windows Wireless Zero Config tool) to connect when the network (SSID) is available. Default: Enabled |
EAP-PEAP: Connect only to these servers |
List of servers to which users can connect with EAP-PEAP, separated by commas. |
Enable IEEE 802.1x authentication for this network |
If selected, this option enables 802.1x authentication for the network. Default: Enabled |
EAP-Certificate: Connect only to these servers |
List of servers to which users can connect with an EAP certificate, separated by commas. |
Authenticate as computer when computer info is available |
Select this option when computer information is available. If enabled, the client performs computer authentication during login. |
Inner EAP-Certificate: Connect only to these servers |
List of servers to which users can connect with an inner EAP certificate, separate by commas. |
Authenticate as guest when computer or user info is unavailable |
Select this option when computer or user information is not available. If enabled, the client authenticates as a guest during login. |
Connect even if this WLAN is not broadcasting |
Allows VIA to connect, even if the WLAN is not broadcasted. Default: Disabled |
7. Click .
8. Select .
9. In the Pending Changes window, select the check box and click Deploy Changes.
The following sections describe additional VIA options.
Manual Upgrade and Downgrade
Users can install a later version of VIA on top of an earlier version, or an earlier version of VIA on top of a later version (unsupported fields are omitted during a downgrade).
|
Manual downgrade is not available in iOS devices. |
IKE Rekey
IKE rekey occurs at a configured interval in the IKE proposal.
|
IKE Rekey is not available in iOS devices. |
To configure the rekey (security association) interval in the WebUI:
1. In the Mobility Master node hierarchy, navigate to Configuration > Services > VPN.
2. Click or to expand that section.
3. Select an existing IKE policy from the or table, or click to add a new policy.
4. Under the field, enter a rekey interval, in seconds.
5. Click .
6. Select .
7. In the window, select the check box and click .
To configure the rekey (security association) interval in the CLI, execute the following command:
(host) [mm] (config) #crypto isakmp policy <priority> lifetime <seconds>
IPsec Rekey
IPsec rekey occurs at a configured interval in the IPsec proposal.
|
IPsec Rekey is not available in iOS devices. |
To configure the rekey (security association) interval in the WebUI:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to Configuration > Services > VPN.
2. Click to expand that section.
3. Select an existing IPsec map from the table, or click to add a new IPsec map.
4. Under the or field, enter a rekey interval, in seconds or kilobytes.
5. Click .
6. Select .
7. In the window, select the check box and click .
To configure the rekey (security association) interval in the CLI, execute the following commands:
(host) [mm] (config) #crypto-local ipsec-map <ipsec-map-name> <ipsec-map-number>
set security-association lifetime kilobytes <kilobytes>
set security-association lifetime seconds <seconds>
IKEv1 and IKEv2 SSL-Fallback
When port 4500 is blocked , VIA establishes IPsec over SSL using TCP 443.
To enable this option in the WebUI:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to .
2. Select the check box.
3. Click .
4. Select .
5. In the window, select the check box and click .
To enable this option in the CLI, execute the
command.
|
IKEv1 SSL-fallback and IKEv2 SSL-fallback are not available in Android devices. |
Extended Authentication (XAUTH)
Extended Authentication (XAUTH) is an Internet Draft that permits user authentication after IKEv1 authentication. XAUTH prompts the user for a username and password, which are authenticated through an external RADIUS or LDAP server or the Mobility Master/managed device's internal database. Alternatively, users can start client authentication with a smart card, which contains a digital certificate to verify the client credentials. IKEv1 authentication can be done with either an IKE pre-shared key or digital certificates.
To enable XAUTH in the WebUI:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to Configuration > Services > VPN.
2. Click to expand that section.
3. Select from the drop-down list.
4. Click .
5. Select .
6. In the window, select the check box and click .
Management APIs
Management APIs are based on Android messages and intents. For more details, refer to the Android VIA Management API Guide.
ArubaOS allows you to rebrand VIA client and the VIA download page with a custom logo, HTML page, and login banner.
|
VIA supports Alcatel-Lucent and Dell OEMs. |
|
OEMs and rebranding are only supported in Windows and Mac OS devices. |
Customizing the Logo
To use a custom logo on VIA client and the VIA download page:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Select to expand that section.
3. Under the section, click to locate and select a logo from your local file explorer.
4. Click .
5. Select .
6. In the window, select the check box and click .
Figure 4 Customizing the VIA Logo
To use the default VIA logo, click .
Customizing the Landing Page for Web-based Login
To use a custom landing page for VIA web login:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Select to expand that section.
3. Under the section, click to locate and select the HTML file from your local file explorer.
Variables that are used in the custom HTML file must have the following notation:
<% user %>: Displays the username.
<% ip %>: Displays the IP address of the user.
<% role %>: Displays the user role.
<% logo %>: The custom logo (Example: <img src="<% logo %>">)
<% logout %>: The logout link (Example: <a href="<% logout %>">VIA Web Logout</a>)
<% download %>: The installer download link (Example: <a href="<% download %>">Click here to download VIA</a>)
4. Click .
5. Select .
6. In the window, select the check box and click .
To use the default welcome page, click
.Customizing the Login Banner
The login banner ensures that end-users agree to a customized terms-of-service before using the private network established by VIA. To use a custom login banner for VIA client:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Select to expand that section.
3. Under the section, click to locate and select the custom login banner from your local file explorer.
4. Click .
5. Select .
6. In the window, select the check box and click .
To use the default login banner, click
.To upload a new VIA installer on the web page:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Select to expand that section.
3. Click at the bottom of the table. The window opens.
4. Click to locate and select the installer from your local file explorer.
5. Click .
6. Click .
7. Select .
8. In the window, select the check box and click .
|
The installer file must be in the format. |
To download the VIA installer:
1. On a standalone controller or in the hierarchy on Mobility Master, navigate to > > .
2. Select to expand that section.
3. Select an package from the table to download the installation file.
Figure 5 Downloading a VIA Installer
Additionally, you can download the VIA installer from the Aruba Support Site or the App store for mobile devices.
The following steps describe how to configure VIA using the CLI.
You can only add licenses to a managed device via the Mobility Master configuration node.
(host) [mm] (config) #license add <PEFV_license_key>
(host) [md] (config) #user-role example-via-role
(host) [md] (config-role) #access-list session "allowall" position 1
(host) [md] (config-role) #access-list session "v6-allowall" position 2
(host) [md] (config) #aaa server-group "via-server-group"
(host) [md] (Server Group "via-server-group") #auth-server "Internal" position 1
(host) [md] (config) #aaa authentication via auth-profile default
(host) [md] (VIA Authentication Profile "default") #default-role example-via-role
(host) [md] (VIA Authentication Profile "default") #desc "Default VIA Authentication Profile"
(host) [md] (VIA Authentication Profile "default") #server-group "via-server-group"
(host) [md] (VIA Authentication Profile "default") #client-cert-enable
If client certificate-based authentication is enabled on the VIA authentication profile and you do not want to use the default port 8085 for profile downloads, execute the following command to configure the port for certificate-based authentication:
(host) [md] (config) #web-server profile via-client-cert-port <via-client-cert-port>
|
The valid range for the port number used for VIA client-cert based profile downloads is <1025-65535>, and the default value is 8085. The port configured for VIA client certificate-based authentication must also be configured on the control plane firewall using the command. If the port is not configured on the control plane firewall, all packets sent to the port will be dropped, and the HTTPS connection will not be established. |
(host) [md] (config) #aaa authentication via connection-profile "via"
(host) [md] (VIA Connection Profile "via") #server addr 192.1.30.100 internal-ip 192.1.30.09 desc "VIA Primary Controller" position 0
(host) [md] (VIA Connection Profile "via") #auth-profile "default" position 0
(host) [md] (VIA Connection Profile "via") #tunnel address 192.1.1.45 netmask 255.255.255.0
(host) [md] (VIA Connection Profile "via") #split-tunneling
(host) [md] (VIA Connection Profile "via") #windows-credentials
(host) [md] (VIA Connection Profile "via") #client-netmask 255.0.0.0
(host) [md] (VIA Connection Profile "via") #dns-suffix-list example.com
(host) [md] (VIA Connection Profile "via") #support-email via-support@example.com
(host) [md] (VIA Connection Profile "via") #certificate-criteria certificateIssuer="HPE Root CA"; 2.5.4.10=SmartCard; emailAddress=support@example.com
To enable content security services (CSS), execute the following commands. CSS is only available if you have installed the content security services license. See the Aruba Mobility Master Licensing Guide for more information on licenses.
(host) [md] (VIA Connection Profile "via") #enable-csec
(host) [md] (VIA Connection Profile "via") #csec-gateway-url https://css.example.com
(host) [md] (VIA Connection Profile "via") #csec-http-ports 8080,4343
Enter the following command after you create the client WLAN profile (see Configuring VIA Client WLAN Profiles for more details):
(host) [md] (VIA Connection Profile "via") #client-wlan-profile "via_corporate_wpa2" position 0
(host) [md] (config) #aaa authentication via web-auth default
(host) [md] (VIA Web Authentication "default") #auth-profile default position 1
|
You can have only one profile (default) for VIA web authentication. |
(host) [md] (config) #user-role "example-via-role"
(host) [md] (config-role) #via "via"
(host) [md] (config) #wlan ssid-profile "via_corporate_wpa2"
(host) [md] (SSID Profile "via_corporate_wpa2") #essid corporate_wpa2
(host) [md] (SSID Profile "via_corporate_wpa2") #opmode wpa2-aes
(host) [md] (config) #wlan client-wlan-profile "via_corporate_wpa2"
(host) [md] (VIA Client WLAN Profile "via_corporate_wpa2") #ssid-profile "via_corporate_ssid"
For detailed configuration parameter information, see the commandin the latest ArubaOS 8.x.x.x CLI Reference Guide.
Rebranding VIA and uploading the installer can only be performed using the WebUI. See Rebranding VIA and Uploading VIA Installers.
Was this information helpful?
Great! Thanks for the feedback
Sorry about that! How can we improve it? Send your comments and suggestions!