Wireless Access

Hi,

I'm having trouble grasping the whole pre-connect thing.

I have a 3400 Aruba controller (version 6.2) and VIA client software version 2.1.1.1.36296.

To get VIA to work I have enabled NAT for port 4500 and 443 and I am able to succesfully connect using IKEv1 and RADIUS.

Right now I would like to enable IKEv2 so that VIA sets up a VPN using the computer  (for domain users to log on at ctrl+alt+del).

The thing I don't quite understand is that you need to use user certificates, which are placed in the computer store of the client? 
How should I create these user certificates? Right now I created a computer certificate using our root CA but the computer fails to setup a VPN at ctrl+alt+del screen. When I try to connect with the VIA client it asks for the certificate (there is only one), but then generates a ERR -11400: Failed to establish secure session. How should I proceed?

I have the feeling I'm missing some information on how to get this to work, I seem to be missing information in the manual and AppNote on how to configure the certificates. 

Attached a part of the (sanitized) config.

Thanks in advance,

Alex

Attachment(s)

controllerConfig.txt   3 KB 1 version

I have gotten a little further. I can connect using IPSEC. However, when I reboot the client computer I am unable to logon to the domain (states that services are not available, thus no VPN connection is established). Any tips?

Please take a look at the article here: https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/What-is-Domain-Pre-connect-in-VIA-and-how-does-it-work and compare it to your setup.

Hi CJoseph,

I followed that article, but it suggests pre-connect only works after a user is logged off, NOT when the computer is restarted, am I right?

Thanks.

Alex

It should work when the user is NOT logged in which should include a reboot at the ctrl-alt-del screen.  I cannot tell from your VIA connection profile if the domain preconnect option is enabled.  If it is, we need to open a case with support, because the only indicator if it is working or not are your logs, which contain sensitive information.  TAC would look to see in the VIA client logs if it is even attempting to establish a connection and if the controller is seeing it.

Alex did you ever get this resolved.  I am having an issue and support has not been able to find a solution yet.  I want to use IKEv2 -EAP-TLS and pre connect to authenticate my VIA users.  I have a cert on the PC in the personal folder and I have a trusted cert on CPPM un the trusted certs section of CPPM.  If anyone has this working I would really enjoy hearing from you.  In CPPM we are seeing rejects from username 0000000000000.  Instead of the hostname of the PC the personailzed cert is assigned to.  And in the VIA client we see "Failed to establish secure connection error 11400.

I will add that we had AD authentication with preconnect working and all we have changed is the authenication type in the from MSChapV2 to EAP-TLS in the VIA Connection profile.  According to support this would be the onmly needed change to move to EAP-TLS.