Authentication Methods Supported in VIA

VIA supports the following authentication methods using the IKEv1 and IKEv2 protocols. See the Virtual Private Networks chapter in the ArubaOS 8.x.x.x or 6.5.x.x User Guide for information on configuring the authentication method on Mobility Master.

 

Support for two-factor authentication is provided in VIA using devices such as security tokens and smart cards. For more information on multi-factor authentication, see “Multi-Factor Authentication Mechanisms” on page 1.

IKEv1

IKEv1 consists of two authentication phases: phase 1 and phase 2. IKEv1 phase 1 authenticates the VPN client using either a pre-shared key or an X.509 certificate (the X.509 certificate must appear in the operating system’s “user” certificate store). If extended authentication (XAUTH) is used for phase 2 authentication, a username and password are required. The username and password is authenticated against the managed device’s internal database, which is either a RADIUS server or an LDAP server. If a RADIUS server is used, the PAP or MSCHAPv2 protocol must be supported.

Support for two-factor authentication is provided in VIA using devices such as security tokens and smart cards. For more information on multi-factor authentication, see “Multi-Factor Authentication Mechanisms” on page 1.

VIA supports the following authentication methods in IKEv1:

Table 1: Authentication Methods in IKEv1

Authentication Method

IKE Information

Description

Pre-Shared Key

IKEv1 PSK

Authentication is not required after the VPN profile is downloaded.

Username and Password

IKEv1 XAUTH

Credentials or token data is required when prompted.

PKI - Client Certificate

IKEv1 Cert

Authentication is not required after the VPN profile is downloaded.

PKI - Smart Card (PIN-based)

IKEv1 Cert

Smart cards support two-factor authentication: Certificate and PIN number. The PIN number is required when prompted.

 

See “ Authentication using a Smart Card” on page 1 for more information on smart cards.

Security Token - Hardware

IKEv1 XAUTH

Code from the physical token is required when prompted.

 

See “ Authentication using a Virtual Digital Badge” on page 1 for more information on security tokens.

Security Token - Software

IKEv1 XAUTH

Code from the token software is required when prompted.

 

See “ Authentication using a Virtual Digital Badge” on page 1 for more information on security tokens.

Mobile Authentication

IKEv1 XAUTH

OTP or human interaction is required for authentication.

 

See “ Authentication using Duo” on page 1 for more information on mobile authentication.

Biometric Authentication

IKEv1 XAUTH

Human interaction is required for authentication.

IKEv2

IKEv2 is an updated version of IKE that is faster and supports a wider variety of authentication mechanisms. IKEv2 only uses a single-phase authentication process and supports both RSA and ECDSA certificate-based authentication. VIA locates an X.509 certificate in the operating system’s certificate store.

VIA supports the following authentication methods in IKEv2:

Table 2: Authentication Mechanisms in IKEv2

Authentication Method

IKE Information

Description

Username and Password

IKEv2 EAP-MSCHAPv2

Credentials are required when prompted.

PKI - Client Certificate

 

IKEv2 Cert

Authentication is not required after the VPN profile is downloaded.

IKEv2 EAP-TLS

Authentication is not required after the VPN profile is downloaded.

PKI - Smart Card (PIN-based)

 

IKEv2 Cert

Smart cards support two-factor authentication: Certificate and PIN number. The PIN number is required when prompted.

 

See “ Authentication using a Smart Card” on page 1 for more information on smart cards.

IKEv2 EAP-TLS

Smart cards support two-factor authentication: Certificate and PIN number. The PIN number is required when prompted.

 

See “ Authentication using a Smart Card” on page 1 for more information on smart cards.

Mobile authentication

IKEv2 EAP-MSCHAPv2

OTP or human interaction is required for authentication.

 

See “ Authentication using Duo” on page 1 for more information on mobile authentication.

Biometric Authentication

IKEv2 EAP-MSCHAPv2

Human interaction is required for authentication.