Aruba Apps

last person joined: yesterday 

The HPE Aruba Networking Apps board is designed to address questions, comments, and feature requests for all HPE Aruba Networking mobile Apps
Back to discussions
Expand all | Collapse all

VIA dual factor authentication ?

This thread has been viewed 2 times

  • 1.  VIA dual factor authentication ?

    Posted Feb 22, 2013 12:23 PM

     

    I have a question specific to VIA and dual factor authentication. 

     

    I have an issue with iPads and Droid tablets when using Cisco FW/VPN and RSA for dual factor authentication. 

     

    First factor is a simple user ID and password. 

     

    Second factor authentication is delivered from the RSA in the form of a question to the device.

     

    Using a Windows or Mac laptop the RSA question clear. When using an iPad or Droid the question is scrambled and not readable. After a call with RSA we understand the issue is with RSA solution and something to do with flash and how they deliver the question. In any case, iPads and Droids are prevented from using VPN access because users can't answer the the question. 

     

    Previously we tested VIA and it worked well for single factor authentication, user ID and password. Thinking outside of the box can the VIA app and the Aruba controller provide 2 factor authentication? Perhaps a requirement for a user ID and password as first factor and a unique certificate on the tablet as a second factor ? 

     

    Any suggestions are appreciated ..

     

    Thanks



  • 2.  RE: VIA dual factor authentication ?

    Posted Feb 22, 2013 01:48 PM

    You have a couple of options.   You can use two-factor solutions (ie. Tokens) as a source of authentication for VIA.   The user would submit the username/tokencode for example rather than username/password.   You can also implement the solution using IKEv1; Phase 0 authentication can be in the form of a certificate (user only...on tablets that is not a probelm) and then XUTH can be called to require an additional username/password combination to complete the connection.



  • 3.  RE: VIA dual factor authentication ?

    Posted Feb 22, 2013 02:07 PM

    We are trying to avoid tokens. Can you point me in the direction for adiditonal reading material for the IKEv1 solution with XUTH ? Have you done a config like this before? 

     

    Thank you for the quick reply! 

     

     



  • 4.  RE: VIA dual factor authentication ?
    Best Answer

    Posted Feb 22, 2013 02:22 PM

    Yes, I have set this up in the past.    The setup is covered in the VIA App Note on the VRD Site.   Refer to Chapter 5; specifically the section titled Configuring VPN Server for IKEv1-Certs; page 23 in the version I have.

     

    One thing to note, there is reference to an IKE Policy that doesn't exist (or didn't in the last two installs I did).  I had to add it and it worked fine. The command to create the policy is:

    crypto isakmp policy 30
     version v1
     encryption AES256
     authentication rsa-sig
     hash sha
     group 2