Wireless Access

Reply
SPF
Contributor I
Posts: 23
Registered: ‎08-23-2013

VIA Pre-Connect option

 

Hi Joseph,

 

Just a brief comment about the Pre connect option. We have just tested it (to solve the problem of password expiration) and we don`t see any connection attempt in the NPS. Is there something that we have forgotten to configure? We only have checked the Preconnect option in the Connection Profile.

 

 

Thanks in advance.

 

Regards,

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: VIA Pre-Connect option

Is the device doing any machine authentication?  Is this a domain computer?  Here is the description from the user guide

 

Enable this option to allow users with lost or expired passwords to establish a VIA connection to corporate network. This option authenticates the user’s device and establishes a VIA connection that allows users to reset credentials and continue with corporate access.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba Employee
Posts: 5
Registered: ‎06-18-2009

Re: VIA Pre-Connect option

Hi,

 

Below is how VIA Pre-Connect works, let me know if you have tried this and at what stage do you see a failure. 

 

VIA 2.1 contains a new feature of Domain Pre-Connect. 

"Domain Pre-Connect", which is intended to let a client machine establish a connection to the controller even when the user is not logged in.  This lets the machine be in contact with a domain controller, which can be handy for password changes/expiration. 

 
The support starts from AOS 6.1.3.1 or later on the controller to take advantage of all the latest features, although VIA 2.1 is backwards compatible with previous versions if you do not need the new features.


Domain Pre-Connect allows the VIA client to start when the computer is at the ctrl-alt-delete screen and submit machine credentials in the background.  The machine would of course have to be wired, or connected to a wifi network that would allow it to pass IPSEC traffic at the ctrl-alt-delete prompt.
 
You would have to already have downloaded and installed the VIA client 2.1.0.0 and above and connected once using a VIA connection profile that has the "domain pre-connect" checkbox enabled.  This checkbox is only available in ArubaOs 6.1.3.1 and above and is located in the VIA Connection Profile:

The idea of this feature is to connect you to the enterprise network as if you have the ethernet cable plugged in, but over VPN.  That will allow you to do things like run login scripts, and be able to change an expiring password at the ctrl-alt delete screen.


Make sure you have network connectivity to the client when user is logged off.
·         Configure VIA connection profile for IKEv2+User certificates. (The feature works only with IKEv2 as of now).
·         The certificates have to be stored in machine store.
·         Establish at least one normal VIA IPsec connection when user is logged into the machine. (domain pre-connect creates its own profile using this profile).
·         Now log off the machine domain pre-connect would be initiated.
·         In controller you can see, the initial IPsec connection will be teared off and new connection will be triggered. (Use “show user” command).
 
 
SPF
Contributor I
Posts: 23
Registered: ‎08-23-2013

Re: VIA Pre-Connect option

 

Hello,

 

We have already upgraded to the latest controller version OS 6.2.1.4 and VIA version 2.1.1.3.40312.

We are using IKEv2 with certificates. It works. We noticed that the certificate stored in the machine is validated by the controller, but there is not any machine credentials validation in the NPS before the ctrl+alt+supr. Is that ok?

 

We have a trouble in the case that several certificates were stored int the machine. Although a specific certificate is selected in the VIA authentication profile, we noticed that the client selects randomly any certificate from the storage certificate.  Is this a normal behaviour?

 

Moreover, after the ctr+alt+spr this connection is closed and a new connection is launched when the user session is started. Is there any way to avoid this, so as to the preconnect connection remains up?

 

Thanks in advance,

 

Regards,

 

 

 

Aruba Employee
Posts: 12
Registered: ‎12-22-2013

Re: VIA Pre-Connect option

 Hi,

 

 When IKEV2 + certificate option is selected as part of VIA authentication then, the pre-connection also uses Certificates. It uses certificates stored in the machine store. In this case since the authentication is not credential based machine credentials are not used. That is the reason you don’t find attempt with machine credentials in NPS logs.

 

Pre-connection selects first machine certificate available, when multiple certificates are available in the machine store.

 

The Pre-connection once established will remain till a user logins into the system ( not exactly on press of ctrl+alt+del). Pre-connect will terminate automatically once the user desktop is displayed. VIA user connection should take over and start connecting once the user logs in.

 

Nagendra Rapaka

VIA Team.

Nagendra Rapaka
Search Airheads
Showing results for 
Search instead for 
Did you mean: