Security

Reply
Occasional Contributor I

Via ON-Demand IOS devices

Hello,

 

I am running into an issue getting on demand working with VIA using the onboard process for IOS. I have VIA setup on our controller using IKE V2 with EAP-TLS authenticating to our CP server.  I have setup the onboard process to install a via profile though the IOS setting.  Once an iPhone is onboarded and the via client is installed I download the via profile, set my certificate to be used and see that on-demand is not enabled...  

 

VIA does authenticate to clearpass successfully and I can connect to the intranet when it is authenticated, so it does not seem to be an issue connecting to the controller or authenticating to CP.  I have contacted TAC regarding the issue, but at the moment they were only able to verify that my Onboard settings were correct for the IOS vpn profile, so I still have this opened with them... 

 

I guess my question is, has any sucsessully configured Via on demand using the ClearPass Onboarding process?  I tried searching the threads here, but could not find anything specific.  If anyone has any idea's I would appreciate it.

 

OS and hardware:

 

CP 6.5.0.71095

Controller Software : 6.4.3.4

Controller Hardware: Aruba7005-US

Guru Elite

Re: Via ON-Demand IOS devices

SC3252,

 

For the IOS platform, connect on demand can only be enabled through configuration manually on the client, and not pushed through the profile, unfortunately.  That is a limitation of the IOS client.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Via ON-Demand IOS devices

Cjoseph,

 

I apprcieate the response. When I do enable the setting on the app it still doesn't launch the VPN connection when attempting to access internal resources.  Is there a spot on the controller where I specify the address range to launch on demand?

Guru Elite

Re: Via ON-Demand IOS devices

SC2352,

 

If you have not gotten an answer yet, here is what I was told is how it should work:

 

 

  1. On the controller set for example, "company.com" as the DNS suffix in the connection profile.
  2. On the iOS client, download the above profile (Make sure you are not in intranet network, so that company.com internal IPs are not accessible)
  3. Disconnect VIA (If it is already connected) and enable “Connect-on-demand” from settings->VPN tab.
  4. Launch any server/resource in "company.com" domain. For example, launch “intranet.company.com” in the iOS device.
  5. VIA triggers on-demand and connects.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Via ON-Demand IOS devices

Thank you cjoseph.  That is the corect location to edit the on demand settings.  A couple of things to keep in mind for anyone else trying to do this

 

1.  If your providers DNS can resolve the location (I had this issue with T-mobile) it will not bring the VPN connection up, even if the address isn't available outside your internal network.

 

2.  Only one suffix is allowed.  While it may look like more than one is allowed I was told that is not the case, and I have experienced that first hand trying to put down two (neither suffix will work if you try).

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: