Introduction :
Virtual Intranet Access (VIA) is part of the Aruba remote networks solution targeted for teleworkers and mobile users. VIA detects the users network environment (trusted and un-trusted) and automatically connects the user to their enterprise network. Trusted networks typically refers to a protected office network that allows users to directly access corporate intranet. Un-trusted networks are public Wi-Fi hotspots like airports, cafes, or home network.
The VIA solution comes in two parts—VIA connection manager and the controller configuration.
Suite B is a new set of cryptographic algorithms that are approved by the US Government for use in classified communication. Suite B provides the highest levels of security available today in public, commercial algorithms.
Specifically, VIA provides support for:
- RFC 4869—Suite B Cryptographic Suites for IPsec
- AES-GCM 128/256 for bulk data transfer
- ECDSA for digital signatures, including support for X.509v3 certificates using ECDSA keys with p256/p384 curves
- ECDH for key agreement using p256/p384 curves
- SHA-256 and SHA-384 for message digests
Prerequisites
Prior to moving forward with the controller configuration, the following prerequisites must first be accomplished:
-
Elliptic Curve Certificates will need to be generated using Windows Server 2008 R2. This version of Windows Server supports the creation of a PKI that will allow for a Certificate Authority to be implemented that supports Suite-B algorithms. The CA root, server, and user certificates will need to be generated prior to configuring the controller. Once created, the CA root and server EC certificates will be uploaded to the controller and used as part of the authentication process.
-
Verify that the controller to be configured supports Suite-B algorithms. While all Aruba 600 series controllers support Suite-B, not all 3000 or M3 series controllers do. Check the serial number on your controller and verify it against Table 3 on page 4 to determine if your controller supports Suite B.
-
If necessary, the controller will need to be upgraded to ArubaOS version 6.1.2.3 (or later). This version of ArubaOS is required to support Suite B.
-
The Advanced Cryptography License (ACR) will need to be installed onto the controller to support Suite- B algorithms
-
The Policy Enforcement Firewall for VIA (PEFV) license will need to be installed onto the controller to provide for policy enforcement when using the VIA client for secure communication with the controller.
-
If the controller will be installed behind a firewall device, the following ports must be allowed for traffic going to the IP address of the controller:
- TCP 443 – During the initializing phase, VIA uses HTTPS connections to perform trusted network & captive portal checks
against the controller. It is mandatory that you enable port 443 on your network to allow VIA to perform these
checks.
- UDP 4500 – Required for IPSec transport
Configuration Steps
Many of the configuration steps are similar to normal VIA configuration steps except VIA Authentication Profile and VIA Connection Profile will be configured to provide Suite-B capabilities. Authentication will be certificate based using IKEv2. In order to provide for policy enforcement with VIA, the Aruba PEFV license is required to be installed onto the controller.
Step 1 : Configure Suite-B Client Address Pool & Select the IKE Server & CA Root Certs
Select the IKE server cert (must be capable of ECDSA)
(hostname)(config)# crypto-local isakmp server-certificate “cert name”
Add and select the CA cert assigned for VPN-clients (must be capable of EDCSA)
(hostname)(config)# crypto-local isakmp ca-certificate <cacert-name>
Step 2 : Modify the default-ikev2-dynamicmap to add Suite B transforms
(hostname)(config)# crypto dynamic-map default-ikev2-dynamicmap 10000
(hostname)(config-dynamic-map)# set transform-set “default-gcm128” “default-gcm256” “default-1st-ikev2-transform” “default 3rd-ikev2-transfrom”
The two transforms related to Suite B are (IKE Policies)
“default-gcm128” = Default Suite-B 10008: this policy defines the use of AES-128-GCM for data encryption with a SHA-256 hash for data integrity and elliptic curve 256 bit digital signatures (ECDSA) used for authentication
“default-gcm256” = Default Suite-B 10009: this policy defines the use of AES-256-GCM for data encryption with a SHA-384 hash for data integrity and elliptic curve 384 bit digital signatures (ECDSA) used for authentication
Step 3 : Create user role to be mapped to the VIA authentication profile
Step 4 : Create VIA Authentication profile
-
Select the user role created above as Default Role
-
Ensure that “Check certificate common name against AAA server” is unchecked (if checked if using internal DB it must have an entry corresponding to the CN)
-
Add the correct server group for VIA authentication (in the field this will most likely be internal)
Currently the most popular Radius servers do not support EAP-TLS over IKEV2 with EC certificates (currently all Suite B deployments use VIA and IKEV2 native certificate authentication on the controller, however another option is strongSwan but it’s not FIPS validated)
Step 5 : Create VIA Connection profile
-
Populate VIA Servers section with necessary configurations
-
Select the VIA authentication profile created in the “VIA Authentication Profiles” to provision section
-
Populate VIA tunneled networks
Federal customers will likely tunnel all networks as Suite B encryption is normally used to connect to classified networks
Enable IKEv2
(hostname)(config)# aaa authentication via connection-profile “Suite-B-VIA”
(hostname)(VIA Connection Profile “Suite-B-VIA”)# ikev2-proto
- Select Default Suite-B 10008 (AES-GCM128) or Default Suite-B 10009 (AES-GCM256) for VIA IKE V2 Policy
(hostname)(config)# aaa authentication via connection-profile “Suite-B-VIA”
(hostname)(VIA Connection Profile “Suite-B-VIA”)# ikev2-policy “10008” or “10009”
- Enable “Use Suite B Cryptography”
(hostname)(config)# aaa authentication via connection-profile “Suite-B-VIA”
(hostname)(VIA Connection Profile “Suite-B-VIA”)# suiteb-crypto
- Select “user-cert” for IKEv2 Authentication method (use eap-tls only if authenticating to an external server, which is currently not used in the filed)
(hostname)(config)# aaa authentication via connection-profile “Suite-B-VIA”
(hostname)(VIA Connection Profile “Suite-B-VIA”)# ikev2auth user-cert
- Select “default-ikev2-dynamicmap/10000” for VIA IPSec V2 Crypto Map
(hostname)(VIA Connection Profile “Suite-B-VIA”)# ipsecv2-cryptomap “default-ikev2- dynamic map” number 10000
- Select “Enable Supplicant”
(hostname)(VIA Connection Profile “Suite-B-VIA”)# enable-supplicant
(hostname)(VIA Connection Profile “Suite-B-VIA”)# validate-server-cert
Client Configuration
There are three main items that will be executed to establish Suite-B communications with the controller:
- Import elliptic curve certificates thru the use of the Microsoft Management Console (mmc.exe) program
- Install the VIA client
- Launch the VIA client, authenticate and load the VIA connection profile to support Suite-B connectivity
Troubleshooting
- Wireless client must have driver capable of Suite B encryption (on a driver only capable of AES the SSID will show up as unsecure)
show user (SSID with Suite B encryption enabled):
(Aruba3600) #show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
172.16.2.8 44:6d:57:60:4d:b0 level99 SuiteB_Trusted 00:00:35 802.1x_suiteB Pandora-135 Wireless Pandora/d8:c7:c8:88:bd:a0/g-HT Pandora_Trusted tunnel win7
172.16.2.11 70:de:e2:89:1f:77 sandee Pandora_Trusted 16:11:29 802.1x Pandora-135 Wireless Pandora/d8:c7:c8:88:bd:b0/a-HT Pandora_Trusted tunnel iPad
User Entries: 2/2
- show user (VIA with Suite B encryption enabled):
(Aruba3600) #show user-table
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
10.10.130.10 44:6d:57:60:4d:b0 Users Suite-B-VIA 00:01:53 VIA-VPN 10.10.130.253 Inception-105 Wireless Inception/00:24:6c:ae:a6:30/g tunnel
10.10.130.253 44:6d:57:60:4d:b0 jconrad Inception-Trusted 00:01:53 VIA-VPN Inception-105 Wireless Inception/00:24:6c:ae:a6:30/g-HT Trusted_Wireless tunnel Win 7
User Entries: 2/2
Curr/Cum Alloc:2/565 Free:1/563 Dyn:3 AllocErr:0 FreeErr:0
- show auth-tracebuf (SSID with Suite B enabled)
Suite B 128 bit encryption:
Sep 29 15:40:47 ap-up * 00:1a:1e:8f:a5:41 - - wpa2 aes-gcm-128
Sep 29 15:52:10 station-up * 00:19:7e:4c:01:8e 00:1a:1e:8f:a5:41 - - wpa2 aes-gcm-128
…
…
Sep 29 15:52:10 wpa2-akm1-key1 <- 00:19:7e:4c:01:8e 00:1a:1e:8f:a5:41 - 133
Sep 29 15:52:10 wpa2-akm1-key2 -> 00:19:7e:4c:01:8e 00:1a:1e:8f:a5:41 - 133
Sep 29 15:52:10 wpa2-akm1-key3 <- 00:19:7e:4c:01:8e 00:1a:1e:8f:a5:41 - 133
Sep 29 15:52:10 wpa2-akm1-key4 -> 00:19:7e:4c:01:8e 00:1a:1e:8f:a5:41 - 133
Suite B 256 bit encryption:
Sep 29 15:40:47 ap-up * 00:1a:1e:8f:a5:41 - - wpa2 aes-gcm-256
Sep 29 15:52:10 station-up * 00:19:7e:4c:01:8e 00:1a:1e:8f:a5:41 - - wpa2 aes-gcm-256
…
…
Sep 29 15:52:10 wpa2-akm2-key1 <- 00:19:7e:4c:01:8e 00:1a:1e:8f:a5:41 - 133
Sep 29 15:52:10 wpa2-akm2-key2 -> 00:19:7e:4c:01:8e 00:1a:1e:8f:a5:41 - 133
Sep 29 15:52:10 wpa2-akm2-key3 <- 00:19:7e:4c:01:8e 00:1a:1e:8f:a5:41 - 133
Sep 29 15:52:10 wpa2-akm2-key4 -> 00:19:7e:4c:01:8e 00:1a:1e:8f:a5:41 - 133
- show auth-tracebuf (authentication failure):
Jun 25 11:37:14 station-up * 00:24:d6:65:b6:1a 00:24:6c:ae:a6:39 - - wpa2 aes-gcm-128
Jun 25 11:37:14 station-term-start * 00:24:d6:65:b6:1a 00:24:6c:ae:a6:39 300 -
Jun 25 11:37:45 station-term-end * 00:24:d6:65:b6:1a 00:24:6c:ae:a6:39/Inception-802.1x 43 - failure
Jun 25 11:37:45 eap-failure <- 00:24:d6:65:b6:1a 00:24:6c:ae:a6:39/Inception-802.1x - 4
Jun 25 11:37:45 station-down * 00:24:d6:65:b6:1a 00:24:6c:ae:a6:39 - -
- In show datapath user/station/tunnel Suite B clients can be identified by the “G” flag
show datapath user (SSID with Suite B enabled)
(Aruba3600) #show datapath user
Datapath User Table Entries
---------------------------
Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN(Visitor),
N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable,
S - Src NAT with VLAN IP, E - L2 Enforced, O - VOIP user
IP MAC ACLs Contract Location Age Sessions Flags
--------------- ----------------- ------- --------- -------- ----- --------- -----
40.40.40.1 00:0B:86:61:A5:4C 2701/0 0/0 0 13045 0/65535 PL
60.60.60.1 00:0B:86:61:A5:4C 2701/0 0/0 0 5 5/65535 PL
10.4.120.156 00:0B:86:40:CC:80 7/0 0/0 1 1 5/65535 L
60.60.60.10 00:19:7E:4C:01:8E 3/0 0/0 1 5 0/65535 GE
10.4.120.239 00:19:7E:4C:01:8E 3/0 0/0 1 50 0/65535 GE
10.4.120.199 00:0B:86:61:A5:4C 2701/0 0/0 0 2 0/65535 PL
0.0.0.0 00:19:7E:4C:01:8E 3/0 0/0 1 0 0/65535 GE
- show datapath station (SSID with Suite B enabled)
(Aruba3600) #show datapath station
Datapath Station Table Statistics
---------------------------------
Current Entries 1
Pending Deletes 0
High Water Mark 1
Maximum Entries 16383
Total Entries 3
Allocation Failures 0
Max link length 1
Datapath Station Table Entries
------------------------------
Flags: W - WEP, T - TKIP, A - AESCCM, M - WMM N - .11n client
P- Powersave, S - AMSDU, G - AESGCM
MAC BSSID VLAN Bad Decrypts Bad Encrypts Cpu Qsz Flags
----------------- ----------------- ---- ------------ ------------ --- ---------- -----
00:19:7E:4C:01:8E 00:1A:1E:8F:A5:41 60 25 0 16 16161616 MG
- show datapath tunnel (SSID with Suite B enabled)
(Aruba3600) #show datapath tunnel
Datapath Tunnel Table Statistics
--------------------------------
Current Entries 13
Pending Deletes 0
High Water Mark 15
Maximum Entries 16383
Total Entries 17
Allocation Failures 0
Max link length 1
Datapath Tunnel Table Entries
-----------------------------
Flags: E - Ether encap, I - Wi-Fi encap, R - Wired tunnel, F - IP fragment OK
W - WEP, K - TKIP, A - AESCCM, G - AESGCM - no mcast src filtering
S - Single encrypt, U - Untagged, X - MUX, 1(cert-id) - 802.1X Term-PEAP
2(cert-id) - 802.1X Term-TLS, T - Trusted, L - No looping, d - Drop Bcast/Mcast,
D - Decrypt tunnel, a - Reduce ARP packets in the air, e - EAPOL only
C - Prohibit new calls, P - Permanent, m - Convert multicast
# Source Destination Prt Type MTU VLAN Acls BSSID Decaps Encaps Heartbeats Cpu QSz Flags
--- -------------- -------------- --- ---- ---- ---- -------------- ----------------- ---------- ---------- ---------- --- --- -----
11 10.4.120.199 10.4.120.156 47 9000 1578 0 0 0 0 00:1A:1E:C0:FA:54 13755 0 13752 31 0 TES
12 10.4.120.199 10.4.120.156 47 8210 1578 60 0 0 1 00:1A:1E:8F:A5:51 232 0 0 29 0 IMSPG1( 1)
13 10.4.120.199 10.4.120.156 47 8310 1578 60 0 0 1 00:1A:1E:8F:A5:41 989 583 0 25 0 IMSPG1( 1)
10 SPI0093C000out 10.4.120.156 50 IPSE 1500 0 routeDest 0001 0 200
9 SPIE7A28200 in 10.4.120.199 50 IPSE 1500 0 routeDest 0001 2075 0
show crypto isakmp sa peer <ip address> (Phase 1)
(Aruba3600) # show crypto isakmp sa peer 10.10.130.253
Initiator IP: 10.10.130.253
Responder IP: 10.10.3.6
Initiator: No
Initiator cookie:ac9e35fb99f9036a Responder cookie:4e0259918e7e84e0
SA Creation Date: Wed Jun 26 17:29:23 2013
Life secs: 28800
Initiator Phase1 ID: D=test D=Inception CN=Users CN=James O. Conrad
Responder Phase1 ID: C=US S=VA L=Woodbridge O=Aruba_Networks OU=Federal_TAC CN=10.10.3.6 E=jconrad@arubanetworks.com
Exchange Type: IKE_SA (IKEV2)
Phase1 Transform:EncrAlg:AES128 HashAlg:HMAC_SHA2_256_128 DHGroup:19
Authentication Method: ECDSA with SHA-256 on the P-256 curve
CFG Inner-IP 10.10.130.9
IPSEC SA Rekey Number: 0
VIA
- Show crypto ipsec sa peer <ip address> (Phase 2)
(Inception) #show crypto ipsec sa peer 10.10.130.253
Initiator IP: 10.10.130.253
Responder IP: 10.10.3.6
Initiator: No
SA Creation Date: Wed Jun 26 17:29:23 2013
Life secs: 7200
Exchange Type: IKE_SA (IKEV2)
Phase2 Transform:Encryption Alg: AES-GCM 128 Authentication Alg:
Encapsulation Mode Tunnel
PFS: no
IN SPI: 8593000, OUT SPI: C6CF13E6
CFG Inner-IP 10.10.130.9
Responder IP: 10.10.3.6
- Enable debugging security
- Logging level debugging security process authmgr
- Logging level debugging security process ike
(Aruba3600) # show log security 400
Jun 26 18:50:11 :103063: <DBUG> |ike| 10.10.130.253:50447-> IKE2_xchgIn
Jun 26 18:50:45 :103063: <DBUG> |ike| 10.10.130.253:51478-> unsupported ENCR_AES 128-BITS ENCR_AES 192-BITS skipped ENCR_AES 256-BITS skipped
Jun 26 18:50:45 :103063: <DBUG> |ike| 10.10.130.253:51478-> PRF_HMAC_SHA2_256 unsupported PRF_HMAC_SHA2_384 unsupported AUTH_HMAC_SHA2_256_128
Jun 26 18:50:45 :103063: <DBUG> |ike| 10.10.130.253:51478-> Aruba VIA detected
Jun 26 18:50:45 :103063: <DBUG> |ike| 10.10.130.253:51478-> IKE_certGetKey: validating against CA cert Inception-CA-cert-suiteb
Jun 26 18:50:45 :103063: <DBUG> |ike| 10.10.130.253:51478-> validate_issuer: trying certs:1 CA cert-chain Inception-CA-cert-suiteb blob:0x1020307c blob-len:534
Jun 26 18:50:45 :103063: <DBUG> |ike| 10.10.130.253:51478-> IKE_certGetKey validated with Trusted Certs Inception-CA-cert-suiteb
Jun 26 18:50:46 :103063: <DBUG> |ike| 10.10.130.253:51478-> IKE_initIPsecKey in:1 dstport:51478 srcport:4500
Jun 26 18:50:46 :103063: <DBUG> |ike| 10.10.130.253:51478-> pap_ikev2_auth_requests username: Users
Jun 26 18:50:46 :124448: <DBUG> |authmgr| VIA Authentication Profile is Suite-B-VIA
Jun 26 18:50:46 :132218: <INFO> |authmgr| Skipping certificate common name check for username=jconrad
Jun 26 18:50:46 :103063: <DBUG> |ike| get_ikev2_internal_ip pool Inception-VPN
Jun 26 18:50:46 :103063: <DBUG> |ike| get_ikev2_internal_ip Inner-ip from L2TP pool 10.10.130.5, DNS1:8.8.8.8, DNS2:8.8.4.4, WINS1:0.0.0.0, WINS2:0.0.0.0
MAC=00:00:00:00:00:00
Jun 26 18:50:46 :103082: <INFO> |ike| IKEv2 Client-Authentication succeeded for 10.10.130.5 (External 10.10.130.253) for Suite-B-VIA
Jun 26 18:50:46 :103063: <DBUG> |ike| IKE_CUSTOM_useCert group ca-cert:Inception-CA-cert-suiteb bits: rsa:0 ec:256
Jun 26 18:50:46 :103063: <DBUG> |ike| IKE_CUSTOM_useCert: found valid Server-Cert:Inception-suiteb-server-cert
Jun 26 18:50:46 :103076: <INFO> |ike| IKEv2 IPSEC Tunnel created for peer 10.10.130.253:51478
Jun 26 18:50:46 :124004: <DBUG> |authmgr| lic_check_acr_limit: Allowing. ACR license is available
Jun 26 18:50:46 :124244: <DBUG> |authmgr| Allow IPSEC Suite-B ACR license cookei:28
Jun 26 18:50:46 :103063: <DBUG> |ike| Suite-B vpn is permitted
- Client that failed authentication
- Enabled “Check certificate common name against AAA server” in the VIA Authentication Profile
(Aruba3600) # show log security 400
Jun 26 19:59:03 :103063: <DBUG> |ike| 10.10.130.253:61355-> asn_cert_ike_subj_string Cert-len:1341 Subject: /DC=test/DC=Inception/CN=Users/CN=James O. Conrad
Jun 26 19:59:03 :103063: <DBUG> |ike| 10.10.130.253:61355-> IKE_certGetKey : cert CN:Users
Jun 26 19:59:03 :103063: <DBUG> |ike| 10.10.130.253:61355-> IKE_certGetKey: validating against CA cert Inception-CA-cert-suiteb
Jun 26 19:59:03 :103063: <DBUG> |ike| 10.10.130.253:61355-> validate_issuer: trying certs:1 CA cert-chain Inception-CA-cert-suiteb blob:0x1020307c blob-len:534
Jun 26 19:59:03 :103063: <DBUG> |ike| 10.10.130.253:61355-> validate_issuer: returned status:0
Jun 26 19:59:03 :103063: <DBUG> |ike| 10.10.130.253:61355-> IKE_certGetKey validated with Trusted Certs Inception-CA-cert-suiteb
Jun 26 19:59:03 :124448: <DBUG> |authmgr| VIA Authentication Profile is Suite-B-VIA
Jun 26 19:59:03 :124004: <DBUG> |authmgr| ncfg_auth_server_group_authtype ip=10.10.130.253, method=VIA-VPN vpnflags:3
Jun 26 19:59:03 :124004: <DBUG> |authmgr| ncfg_auth_server_group_authtype via_auth_profile:Suite-B-VIA
Jun 26 19:59:03 :124038: <INFO> |authmgr| Selected server Internal for method=VIA-VPN; user=Users, essid=Inception, domain=<>, server-group=internal
Jun 26 19:59:03 :133019: <ERRS> |localdb| User Users was not found in the database
Jun 26 19:59:03 :133006: <ERRS> |localdb| User Users Failed Authentication
Jun 26 19:59:03 :124004: <DBUG> |authmgr| Local DB auth failed for user Users, error (User not found in UserDB)
Jun 26 19:59:03 :124003: <INFO> |authmgr| Authentication result=Authentication failed(1), method=VIA-VPN, server=Internal, user=44:6d:57:60:4d:b0
Jun 26 19:59:03 :103063: <DBUG> |ike| *** ipc_auth_recv_packet user=Users, pass=******, result=1 ctx:10235c64, ctx-innerip:0.0.0.0 l2tp_pool:Inception-VPN
Jun 26 19:59:03 :103083: <INFO> |ike| IKEv2 Client-Authentication failed for user: Users
Jun 26 19:59:03 :103063: <DBUG> |ike| unsupported ESN_0 <-- R Notify: AUTHENTICATION_FAILED (ESP spi=95f8ef5e)#SEND 84 bytes to
- Client failed authentication
- Authenticated with an RSA cert instead of an EC cert
Jun 26 20:56:12 :103063: <DBUG> |ike| 10.10.130.253:61555-> exchange=IKE_SA_INIT msgid=0 len=386
Jun 26 20:56:12 :103063: <DBUG> |ike| 10.10.130.253:61555-> IKE2_xchgIn
Jun 26 20:56:12 :103063: <DBUG> |ike| 10.10.130.253:61555-> InTfm Using Policy 10008, setting IKE_SA lifetime to 28800 seconds
Jun 26 20:56:13 :103063: <DBUG> |ike| 10.10.130.253:61555-> Aruba VIA detected
Jun 26 20:56:13 :103063: <DBUG> |ike| 10.10.130.253:61555-> check_aruba_vid: VIA Auth Profile : Suite-B-VIA
Jun 26 20:56:13 :103063: <DBUG> |ike| 10.10.130.253:61555-> ike2_state.c (6572): errorCode = ERR_CERT_NOT_EXPECTED_OID
Jun 26 20:56:13 :103091: <INFO> |ike| IKEv2 Digital Signature verification failed for peer 10.10.130.253:61555
Jun 26 20:56:13 :103063: <DBUG> |ike| 10.10.130.253:61555-> ike2_state.c (6879): errorCode = ERR_CERT_NOT_EXPECTED_OID
Jun 26 20:56:13 :103063: <DBUG> |ike| 10.10.130.253:61555-> <-- R Notify: AUTHENTICATION_FAILED (IKE)#SEND 84 bytes to 10.10.130.253(61555) (359551.885)