Controller-less WLANs

Authentication fails in VIA - User Name & Pwd is shown Blank in security logs

Environment  :  VIA client --> Controller --> Radius server authentication

 

Details:-
------------
VIA clients were unable to establish connection to the controller and authenticate against CPPM server. From security logs; we could notice "username" being blank for some reason.
 
VIA version:- 2.1.1.3
Software Version: 6.3.0.1
 
 Debug logs output from controller:-
------------------------------------------------
 
Jan 3 09:40:20 :103063:  <DBUG> |ike|  81.135.116.209:50703-> got username=
Jan 3 09:40:20 :103063:  <DBUG> |ike|  81.135.116.209:50703-> got password=******
Jan 3 09:40:20 :103063:  <DBUG> |ike|  81.135.116.209:50703-> got user=, pass=*****
 
This issue occurs with both 32 & 64 bit builds where VIA clients were unable authenticate.
 
aaa authentication via connection-profile "PNL_via-connection"
   server addr "lab.arubanetworks.com" internal-ip 10.10.10.19 desc "VIA Access" position 0
   auth-profile "via-radius" position 0
   tunnel address 10.0.0.0 netmask 255.0.0.0
   split-tunneling
   ikev2-policy "10004"
   ike-policy "20"
   no windows-credentials
   lockdown-all-settings
   auth_domain_suffix
   controllers-load-balance
   no domain-pre-connect
   no validate-server-cert
   dns-suffix-list "lab.arubanetworks.com"
   support-email "testlab@arubanetworks.com"
   ext-download-url "https://testlab.arubanetworks.com/via"
   no allow-user-disconnect
   minimized
   
There were no special info that indicates on Clear pass access Tracker towards the solution. 
Use Windows Credentials didn`t make any difference as VIA clients were still unable to authenticate.
 
Root cause:-
------------------
Found the root cause with End point security firewall application installed on the client were causing connectivity issue for the VIA authentication.
 
This is the update from latest VIA and ESET endpoint security interop
 
•Use windows credentials work perfectly fine.
•Every two minutes tunnel gets dropped as the heartbeat messages to internal IP is treated  “Detected covert channel exploit in ICMP packet Remote IP Address: Internal IP address”
 
Scenarios
•Installed VIA and then ESET end point security
•Installed ESET end point security and then VIA 
 
PS: ESET end point security is running at Maximum Protection status on
•Computer
•Network
•Web and email
 
Find below procedure doc for the test results with regards to ESET end point security application and how to allow the VIA traffic to pass through.

Allowing VIA Virtual Adapter Connection on each connect.
1 Whenever VIA establishes tunnel, it prepares Aruba virtual Adapter. ESET detects this and displays the following to select.
rtaImage.jpg
 
 
1)      Select Any option and then follow the instructions below.
a.       Goto  Advanced Setup-> Rules and Zones :  Select “Do not display dialog withTrusted zone settings when changes ….” And press setup button in the trusted zone.
b.      Select the zone that is related to VIA corporate network and check only the adapter type with  Virtual adapter as shown in the picture below.
 
rtaImage 1.png
 

  Press OK and Next. Select allow sharing ( This is VIA connection and you might want to share with other computers in your cop network. You can also select Strict protection).

Allowing VIA functionality (post connection).
Whenever VIA establishes tunnel, it communicates with controller by sending encrypted data to it. It also sends ICMP messages to controller and will wait for a reply from controller to see if the CPN tunnel is intact. ESET in its default configuration prevents such communication with the following message in the picture.
 
rtaImage 2.jpg
 
This post tunnel activity needs changes in the default configuration of ESET options. Follow the steps below to allow VIA functionality.
1)      Select Advanced Setup from the ESET Tray menu.
2)      Goto Network->Personal Firewall->IDS and advanced options
3)      Expand the Packet Inspection section
4)      Clear Covert data in ICMP protocol detection ( checked by default) and press OK.
 
rtaImage 3.jpg
 
Notes:-
---------
We found some interoperabilty issues between ESET total protection with VIA. 
ESET Total Protection is very restrictive in a default configuration and does not allow for a smooth functioning of VIA. 
The version 4 also has a default configuration of "disabling all traffic within the system" breaking the operating system's IPC mechanism.
The version 5 is less restrictive comparatively and lets VIA connect. However we have found two potential problems that mandates changes to the ESET settings for 
smooth functioning of VIA. Attached Document has details. 
 
VIA client were able to connect and authenticates fine to pass traffic after allowing VIA on the End point security Firewall application.

 

Version history
Revision #:
1 of 1
Last update:
‎07-03-2014 01:48 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.