Wireless Access

Reply
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

VIA integration issues - Cannot download profiles

Hello All,

 

I'm struggling with integrating the VIA Client back to our 620 Controller.

 

I have the VIA Auth Profile created. The Connection Profile is down. The Web Authentication Profile is done as well.

The User Role and Policy is built. Used Role has been associated to the Connection Profile.

 

I associated to a Server Group. Built to our Radius. Still would not work.

Even created another Server Group but built to the Controller's Internal Database. Still did not work.

 

Now is Port 443 supposed to be passed across the IPSec Tunnel the VIA builds back to the Controller's?

I downloaded the VIA Client from the Arubanetworks website and not from the Controller. 

 

 

Any ideas will be highly appreciated.

 

Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: VIA integration issues - Cannot download profiles

You need port 443 as well as UDP 4500 from the outside to the controller.  If port 443 is not open, you cannot download a profile from the outside.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: VIA integration issues - Cannot download profiles

I suspected that 443 would be required.

 

Thanks cjoseph. 

 

Will try this out on Monday and let you know.

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: VIA integration issues - Cannot download profiles

Hey Joseph. Our Firewall rule will have to be associated with the VPN IP Address Pool I created for the VIAs right?

 

And unlike the Raps, the VPN IP Address Pool for the VIAs have to be routable on our Corporate LAN Network? 

Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: VIA integration issues - Cannot download profiles


eosuorah wrote:

Hey Joseph. Our Firewall rule will have to be associated with the VPN IP Address Pool I created for the VIAs right?

 

And unlike the Raps, the VPN IP Address Pool for the VIAs have to be routable on our Corporate LAN Network? 


The Firewall rule on your permiter firewall needs to allow UDP4500 and TCP 443 inbounds to the public address of the controller.  If the controller does not have a physical public address, it needs a 1:1 NAT mapping an external address on your firewall to the internal address of the controller

 

 

The VPN Ip address pool does not need to be routable on your campus LAN for it to work

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: VIA integration issues - Cannot download profiles

Thank you Sir!

 

We already have 4500 passed. Will deal with 443.

 

Will keep you posted.

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: VIA integration issues - Cannot download profiles

Hi Joseph,

 

I finally got the VIA to work after passing TCP443 across the Internet back to our Controller after battling with it for awhile. I had to do the following below:

 

1. The VPN IP Address Pool created for the VIA Clients had to be routable on our Network.

2. I had to create a dummy IKE Shared Secret Key on the "VPN Services" Form. Without this Dummy Key, the VIA would not 

    establish a session. It always generated an error message saying "Failed to establish secure session".

 

Does the above fixes seem right to you?

I don't see any Aruba Documentation that states the above. But the Aruba Engineer says it's required.

 

The only issue I'm experiencing now is that I could not get the VIA to work using RADIUS 802.1X Authentication. It just wouldn't even download the Connection Profile.

 

Now my RAPs are using the same RADIUS Server for 802.1X Authentication and it works just fine. So why the same RADIUS Server doesn't work is beyond me.

 

The Aruba Engineer says that I need to have PAP Authentication enabled on the RADIUS Server's Policy. That this is a requirement for VIA 802.1X Authentication using the RADIUS Server to work.

 

Also, have you seen or heard about this?

 

However, I intend tot test this out and then see.

 

Look forward to hear from you.

 

Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: VIA integration issues - Cannot download profiles

1.  Yes to the preshared key

2.  Sorta to the routable address:  You could have put the any any source-nat ACL in the Via user role to avoid this, or you could use a routable address, like you did.

3.  PAP is a requirement for Via Authentication, yes.

 

We should make a VIA gotchas page for all of this, personally.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: VIA integration issues - Cannot download profiles

Yep I agree!

 

However, before we do that, let me setup the PAP Authentication first and confirm it works.

 

Will keep you updated as usual.

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: VIA integration issues - Cannot download profiles

Hey Joseph,

 

Quick question. Is there a Limit to the number of Local Controllers that can associate to a Master?

 

Secondly, is there a Limit to the number of APs that can be associated to an AP Group?

Search Airheads
Showing results for 
Search instead for 
Did you mean: