The Via technote should help: http://www.arubanetworks.com/wp-content/uploads/VIAAppNote_2012-06-11.pdf
You will at least need a serer certificate on your controller which Via is terminating on, that your clients trust. For example if you have a DNS name of via.domain.com which points to your controller you would need a certificate which includes that DNS name on your controller.
You can perform user authentication using certificates or user/password credentials in Via.
From the technote above:
The IKEv2 authentication methods that are supported for VIA clients on ArubaOS are these:
User authentication with X.509 certificates
---------- The VIA client authenticates the controller certificate.
---------- The controller authenticates the user certificate. No EAP methods are involved.Aruba Networks, Inc. VPN Server Configuration for VIA
User authentication with EAP-TLS
---------- The VIA client authenticates the controller certificate.
---------- The controller authenticates the user certificate using EAP-TLS over IKEv2. The controller just acts as an EAP pass-through to an external EAP-compliant server. EAP termination on the controller is not supported for VIA clients.
User authentication with EAP-PEAP
---------- The VIA client authenticates the controller certificate.
---------- The controller validates the user credentials (username and password) with an external server. The controller just acts as an EAP pass-through to an external EAP-compliant server. EAP termination is not supported for VIA clients, so the internal database of the controller cannot be used to validate user credentials
.
EAP-TLS and EAP-MSCHAPv2 are supported for IKEv2. However, EAP termination and other EAP types are not supported for IKEv2.
Cheers
James