Authentication Methods Supported in VIA
VIA supports the following authentication methods using the IKEv1 and IKEv2 protocols. See the Virtual Private Networks chapter in the ArubaOS
|
Support for two-factor authentication is provided in VIA using devices such as security tokens and smart cards. For more information on multi-factor authentication, see “Multi-Factor Authentication Mechanisms” on page 1. |
IKEv1
IKEv1 consists of two authentication phases: phase 1 and phase 2. IKEv1 phase 1 authenticates the VPN client using either a pre-shared key or an X.509 certificate (the X.509 certificate must appear in the operating system’s “user” certificate store). If extended authentication (XAUTH) is used for phase 2 authentication, a username and password are required. The username and password is authenticated against the managed device’s internal database, which is either a RADIUS server or an LDAP server. If a RADIUS server is used, the PAP or MSCHAPv2 protocol must be supported.
Support for two-factor authentication is provided in VIA using devices such as security tokens and smart cards. For more information on multi-factor authentication, see “Multi-Factor Authentication Mechanisms” on page 1.
VIA supports the following authentication methods in IKEv1:
Table 1: Authentication Methods in IKEv1
Authentication Method |
IKE Information |
Description |
---|---|---|
Pre-Shared Key |
IKEv1 PSK |
Authentication is not required after the VPN profile is downloaded. |
Username and Password |
IKEv1 XAUTH |
Credentials or token data is required when prompted. |
PKI - Client Certificate |
IKEv1 Cert |
Authentication is not required after the VPN profile is downloaded. |
PKI - Smart Card (PIN-based) |
IKEv1 Cert |
Smart cards support two-factor authentication: Certificate and PIN number. The PIN number is required when prompted.
See “ Authentication using a Smart Card” on page 1 for more information on smart cards. |
Security Token - Hardware |
IKEv1 XAUTH |
Code from the physical token is required when prompted.
See “ Authentication using a Virtual Digital Badge” on page 1 for more information on security tokens. |
Security Token - Software |
IKEv1 XAUTH |
Code from the token software is required when prompted.
See “ Authentication using a Virtual Digital Badge” on page 1 for more information on security tokens. |
Mobile Authentication |
IKEv1 XAUTH |
OTP or human interaction is required for authentication.
See “ Authentication using Duo” on page 1 for more information on mobile authentication. |
Biometric Authentication |
IKEv1 XAUTH |
Human interaction is required for authentication. |
IKEv2
IKEv2 is an updated version of IKE that is faster and supports a wider variety of authentication mechanisms. IKEv2 only uses a single-phase authentication process and supports both RSA and ECDSA certificate-based authentication. VIA locates an X.509 certificate in the operating system’s certificate store.
VIA supports the following authentication methods in IKEv2:
Table 2: Authentication Mechanisms in IKEv2
Authentication Method |
IKE Information |
Description |
---|---|---|
Username and Password |
IKEv2 EAP-MSCHAPv2 |
Credentials are required when prompted. |
PKI - Client Certificate
|
IKEv2 Cert |
Authentication is not required after the VPN profile is downloaded. |
IKEv2 EAP-TLS |
Authentication is not required after the VPN profile is downloaded. |
|
PKI - Smart Card (PIN-based)
|
IKEv2 Cert |
Smart cards support two-factor authentication: Certificate and PIN number. The PIN number is required when prompted.
See “ Authentication using a Smart Card” on page 1 for more information on smart cards. |
IKEv2 EAP-TLS |
Smart cards support two-factor authentication: Certificate and PIN number. The PIN number is required when prompted.
See “ Authentication using a Smart Card” on page 1 for more information on smart cards. |
|
Mobile authentication |
IKEv2 EAP-MSCHAPv2 |
OTP or human interaction is required for authentication.
See “ Authentication using Duo” on page 1 for more information on mobile authentication. |
Biometric Authentication |
IKEv2 EAP-MSCHAPv2 |
Human interaction is required for authentication. |
Was this information helpful?
Great! Thanks for the feedback
Sorry about that! How can we improve it? Send your comments and suggestions!