Wireless Access

Reply
Occasional Contributor I
Posts: 7
Registered: ‎01-10-2012

VIA with certificates

Hi

 

If I want to use VIA with certificates what kind of certificates I'll need on the client and server side? Am I need certificates with a specific purpose?

 

Thank you in advance

Zsolt

 

MVP
Posts: 993
Registered: ‎04-13-2009

Re: VIA with certificates

The Via technote should help: http://www.arubanetworks.com/wp-content/uploads/VIAAppNote_2012-06-11.pdf

 

You will at least need a serer certificate on your controller which Via is terminating on, that your clients trust. For example if you have a DNS name of via.domain.com which points to your controller you would need a certificate which includes that DNS name on your controller.

 

You can perform user authentication using certificates or user/password credentials in Via. 

 

From the technote above:

 

The IKEv2 authentication methods that are supported for VIA clients on ArubaOS are these:
 User authentication with X.509 certificates
---------- The VIA client authenticates the controller certificate.
----------  The controller authenticates the user certificate. No EAP methods are involved.Aruba Networks, Inc. VPN Server Configuration for VIA

 User authentication with EAP-TLS
---------- The VIA client authenticates the controller certificate.
---------- The controller authenticates the user certificate using EAP-TLS over IKEv2. The controller just acts as an EAP pass-through to an external EAP-compliant server. EAP termination on the controller is not supported for VIA clients.

 

 User authentication with EAP-PEAP
---------- The VIA client authenticates the controller certificate.
---------- The controller validates the user credentials (username and password) with an external server. The controller just acts as an EAP pass-through to an external EAP-compliant server. EAP termination is not supported for VIA clients, so the internal database of the controller cannot be used to validate user credentials

.

EAP-TLS and EAP-MSCHAPv2 are supported for IKEv2. However, EAP termination and other EAP types are not supported for IKEv2.

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor I
Posts: 7
Registered: ‎01-10-2012

Re: VIA with certificates

Figured out that on the controller I need Server authentication (EKU: 1.3.6.1.5.5.7.3.1), on the client side I need Client authentication (EKU: 1.3.6.1.5.5.7.3.2)... and client side certificate will not work without the private key :). (Something easy to overlook.)

 

Interestingly certificates what working fine on Windows, doesn't work on Android. Im getting "ArubaVia: com.aruba.via.keystore.ViaCertStorageException: Encoding is not supported by this key." error messages.

 

I would appreciate any idea about how can I get VIA working on Android.

 

Thanks

Zsolt

Aruba Employee
Posts: 20
Registered: ‎02-02-2012

Re: VIA with certificates

You need to create the certificate private key and then put it into a PFX file, and out it on the Android phone.  Then, inside VIA there is an option to “import certificate” including CA cert. Once the cert is imported it will work

Search Airheads
Showing results for 
Search instead for 
Did you mean: