Controller Based WLANs

How to configure client WLAN profile for VIA connection profile through CLI?
Requirement:

An Aruba Controller running 6.1 and above with PEF-VPN license installed.



Solution:
Aruba VIA provides an ability to push WLAN Profiles to clients that use the Windows Wireless Zero Config (WZC) service to configure and maintain their wireless networks. These profiles will automatically show up as an ordered list in the preferred networks. The VIA client WLAN profiles provisioned on the client can be selected from the VIA connection profile.
The VIA client WLAN profile settings are similar to the authentication settings used to set up a wireless network. We can specify the authentication method, EAP modes and the SSID as well.


Configuration:

The configuration of the client WLAN profile for VIA clients are as below.

(ArubaController) #
(ArubaController) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(ArubaController) (config) #wlan ssid-profile VIA-SSID
(ArubaController) (SSID Profile "VIA-SSID") #essid VIA
(ArubaController) (SSID Profile "VIA-SSID") #exit
(ArubaController) (config) #
(ArubaController) #
(ArubaController) (config) #wlan client-wlan-profile VIA
(ArubaController) (VIA Client WLAN Profile "VIA") #ssid-profile VIA-SSID
(ArubaController) (VIA Client WLAN Profile "VIA") #?
auth-as-computer        Authenticate as computer when computer info is
                        available
auth-as-guest           Authenticate as guest when computer or user info is
                        unavailable
clone                   Copy data from another VIA Client WLAN Profile
eap-cert                Configure EAP-Certificate options
eap-cert-connect-only.. EAP-Certificate: Connect only to these servers
eap-peap                Configure EAP-PEAP options
eap-peap-connect-only.. EAP-PEAP: Connect only to these servers
eap-type                EAP Type
enable-8021x            Enable IEEE 802.1x authentication for this network
ieap-cert-connect-onl.. Inner EAP-Certificate: Connect only to these servers
inner-eap               Configure inner EAP Authentication options
inner-eap-type          Inner EAP Type
no                      Delete Command
non-broadcasting-conn.. Connect even if this WLAN is not broadcasting
range-connect           Automatically connect when this WLAN is in range
ssid-profile            Name of SSID Profile

(ArubaController) (VIA Client WLAN Profile "VIA") #!
(ArubaController) (config) #

(ArubaController) (config) #aaa authentication via connection-profile VIA-Connection_profile
(ArubaController) (VIA Connection Profile "VIA-Connection_profile") #client-wlan-profile VIA
(ArubaController) (VIA Connection Profile "VIA-Connection_profile") #!
(ArubaController) (config) #


Verification
We can verify the configuration of the client WLAN profile as below.
(ArubaController) #show wlan client-wlan-profile VIA

VIA Client WLAN Profile "VIA"
-----------------------------
Parameter                                                        Value
---------                                                        -----
EAP Type                                                         eap-peap
Inner EAP Type                                                   eap-mschapv2
EAP-PEAP options                                                 validate-server-certificate enable-fast-reconnect
EAP-Certificate options                                          simple-certificate-selection validate-server-certificate
Inner EAP Authentication options                                 mschapv2-use-windows-credentials simple-certificate-selection validate-server-certificate
Automatically connect when this WLAN is in range                 Enabled
EAP-PEAP: Connect only to these servers                          N/A
Enable IEEE 802.1x authentication for this network               Enabled
EAP-Certificate: Connect only to these servers                   N/A
Authenticate as computer when computer info is available         Enabled
Inner EAP-Certificate: Connect only to these servers             N/A
Authenticate as guest when computer or user info is unavailable  Disabled
Connect even if this WLAN is not broadcasting                    Disabled
SSID Profile                                                     VIA-SSID

(ArubaController) #show aaa authentication via connection-profile VIA-Connection_Profile

VIA Connection Profile "VIA-Connection_profile"
-----------------------------------------------
Parameter                                                                        Value
---------                                                                        -----
VIA Servers                                                                      N/A
Client Auto-Login                                                                Enabled
VIA Authentication Profiles to provision                                         N/A
Allow client to auto-upgrade                                                     Enabled
VIA tunneled networks                                                            N/A
Enable split tunneling                                                           Disabled
VIA Client WLAN profiles                                                         0/VIA
Allow client side logging                                                        Enabled
VIA IKE V2 Policy                                                                Default
VIA IKE Policy                                                                   Default
Use Windows Credentials                                                          Enabled
Enable IKEv2                                                                     Disabled
Use Suite B Cryptography                                                         Disabled
IKEv2 Authentication method                                                      user-cert
VIA IPSec V2 Crypto Map                                                          default-ikev2-dynamicmap/10000
VIA IPSec Crypto Map                                                             default-dynamicmap/10000
Allow user to save passwords                                                     Enabled
Enable Supplicant                                                                Disabled
Enable FIPS Module                                                               Disabled
Auto-launch Supplicant                                                           Disabled
Lockdown All Settings                                                            Disabled
Domain Suffix in VIA Authentication                                              Disabled
Enable Controllers Load Balance                                                  Disabled
Enable Domain Pre-connect                                                        Enabled
VIA Banner Message Reappearance Timeout(minutes)                                 60
VIA Client Network Mask                                                          255.255.255.255
Validate Server Certificate                                                      Enabled
VIA Client DNS Suffix List                                                       N/A
OCSP Cert verification enabled                                                   Disable
In EAP/IKE, action taken when OCSP Cert verification result is unkown            Reject
VIA Domain Name Profiles                                                         N/A
Destination Traffic to be blocked                                                N/A
block-destination-traffic-selector(ON/OFF)                                       OFF
VIA max session timeout                                                          1440 min
VIA Logon Script                                                                 N/A
VIA Logoff Script                                                                N/A
VIA Support E-Mail Address                                                       N/A
Maximum reconnection attempts                                                    3
VIA external download URL                                                        N/A
Allow user to disconnect VIA                                                     Enabled
Content Security Gateway URL                                                     N/A
Comma separated list of HTTP ports to be inspected (apart from default port 80)  N/A
Enable Content Security Services                                                 Disabled
Keep VIA window minimized                                                        Disabled
Block traffic until VPN tunnel is up                                             Disabled
Block traffic rules                                                              N/A
User idle timeout                                                                N/A

(ArubaController) #
Version History
Revision #:
2 of 2
Last update:
3 weeks ago
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.