Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Via ON-Demand IOS devices

This thread has been viewed 1 times

  • 1.  Via ON-Demand IOS devices

    Posted Aug 19, 2016 07:57 PM

    Hello,

     

    I am running into an issue getting on demand working with VIA using the onboard process for IOS. I have VIA setup on our controller using IKE V2 with EAP-TLS authenticating to our CP server.  I have setup the onboard process to install a via profile though the IOS setting.  Once an iPhone is onboarded and the via client is installed I download the via profile, set my certificate to be used and see that on-demand is not enabled...  

     

    VIA does authenticate to clearpass successfully and I can connect to the intranet when it is authenticated, so it does not seem to be an issue connecting to the controller or authenticating to CP.  I have contacted TAC regarding the issue, but at the moment they were only able to verify that my Onboard settings were correct for the IOS vpn profile, so I still have this opened with them... 

     

    I guess my question is, has any sucsessully configured Via on demand using the ClearPass Onboarding process?  I tried searching the threads here, but could not find anything specific.  If anyone has any idea's I would appreciate it.

     

    OS and hardware:

     

    CP 6.5.0.71095

    Controller Software : 6.4.3.4

    Controller Hardware: Aruba7005-US



  • 2.  RE: Via ON-Demand IOS devices

    EMPLOYEE
    Posted Aug 24, 2016 05:30 AM

    SC3252,

     

    For the IOS platform, connect on demand can only be enabled through configuration manually on the client, and not pushed through the profile, unfortunately.  That is a limitation of the IOS client.

     



  • 3.  RE: Via ON-Demand IOS devices

    Posted Aug 24, 2016 11:57 AM

    Cjoseph,

     

    I apprcieate the response. When I do enable the setting on the app it still doesn't launch the VPN connection when attempting to access internal resources.  Is there a spot on the controller where I specify the address range to launch on demand?



  • 4.  RE: Via ON-Demand IOS devices
    Best Answer

    EMPLOYEE
    Posted Aug 29, 2016 06:07 AM

    SC2352,

     

    If you have not gotten an answer yet, here is what I was told is how it should work:

     

     

    1. On the controller set for example, "company.com" as the DNS suffix in the connection profile.
    2. On the iOS client, download the above profile (Make sure you are not in intranet network, so that company.com internal IPs are not accessible)
    3. Disconnect VIA (If it is already connected) and enable “Connect-on-demand” from settings->VPN tab.
    4. Launch any server/resource in "company.com" domain. For example, launch “intranet.company.com” in the iOS device.
    5. VIA triggers on-demand and connects.


  • 5.  RE: Via ON-Demand IOS devices

    Posted Sep 20, 2016 04:28 PM

    Thank you cjoseph.  That is the corect location to edit the on demand settings.  A couple of things to keep in mind for anyone else trying to do this

     

    1.  If your providers DNS can resolve the location (I had this issue with T-mobile) it will not bring the VPN connection up, even if the address isn't available outside your internal network.

     

    2.  Only one suffix is allowed.  While it may look like more than one is allowed I was told that is not the case, and I have experienced that first hand trying to put down two (neither suffix will work if you try).