Wireless Access

Reply

VIA setup with IKE v1 and v2

Hi,

 

A customer is looking at setting up a trial of the VIA remote access, and initially I was thinking of a IKEv1 with machine cert then username/password as a pilot.

 

They have asked about the possibility of non-domain devices like iPads as well, which could be an IKE v2 setup.

 

Was just wondering if it is possible to have the two methods running concurrently or is it a case of one or the other?

 

Any suggestions or examples of how others have done it would be appreciated.

 

Thanks


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Guru Elite

Re: VIA setup with IKE v1 and v2

Are you trying to do a two factor auth by using IKEv1? 

 

IKEv2 supports EAP-TLS which you could use across all of your clients.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba

Re: VIA setup with IKE v1 and v2


The iPads can also be configured with IKEv1 policies in the same way; initially authenticate with certificate and then username/password.    If you also want to use IKEv2, you'll need two Connection Profiles as you have to choose whether to use IKEv1 or IKEv2 on your VIA Connection Profile.

 

Or, as Tim suggests, if you aren't interested in the two-phased auth approach of IKEv1 or require IKEv2, you couled use PEAP (EAP-TLS or EAP-MSCHAPv2) or even just X.509 certificate or username/password.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: VIA setup with IKE v1 and v2

basically wanted the two factor with IKEv1, but they've asked about acomodating iPads as well.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Aruba

Re: VIA setup with IKE v1 and v2

Using dual-auth options with IKEv1 works on iPads as well, you just need to have a way to get the certificate onto the iPad.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: VIA setup with IKE v1 and v2

So in terms of a policy in NPS to accomodate this machine cert first then the username/password, what would this need to look like?

 

Is it just a case of allowing PAP?

 

Just wondering if anyone has an example of NPS policy to share?

 

I have sort of stitched myself up here, by offering this as a trial to one of our global Aruba customers.  Hopefully will prove to be another nice feather in the cap !! ;-)


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Aruba

Re: VIA setup with IKE v1 and v2

NPS cannot authenticate the user-cert portion of this (it is not EAP based); only phase 2 the XAUTH/PAP authentication.

 

The controller will authenticate phase 1 (user-cert) by specifying the issuing CA under "CA Certificate Assigned for VPN-Clients" under the VPN Services configuration.   Only clients that present a certificate issued by a CA in this list will pass this phase of authentication.    Phase 2 of authentication is done with XAUTH.  You can use NPS for this; ensuring that PAP is the allowed authentication type. 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: