Aruba Apps

Hello,

 

Hope someone will be able to advise on a VIA design from their experience. 

 

Is it possible to configure seamless failover of VIA in case that mobility controller to which connection is initially established fails? In case that it is not, what would be the best design setup (minimum recovery time)? Deployment is greenfield, and any MC failover design is possible. Thanks in advance.

 

 

Regards,

NesaM

You can configure a VIA Backup Server in the connection profile.  Please see the VIA App Note here:  https://community.arubanetworks.com/t5/Validated-Reference-Design/Virtual-Intranet-Access-VIA/ta-p/155614

The failover is certainly not stateful, because the client will get a different ip address from the VPN pool on a different controller, so I would not count on it necessarily being seamless.

Thank you Colin, this does answer my question, much appreciated.

 

Regards,

NesaM

Hello Colin, 

what about Master/local running VRRP, in this case, should we terminate VIA user VRRP ip address? is this option supported? 

 

 

There is no benefit to terminating on a VRRP.  It should be to the ip address of a controller.

 

A good ASE solution for VIA setup is here:  https://ase.arubanetworks.com/solutions/id/190

Thanks colin for quick answer !!! 

1) so VRRP isn't supported? the challenge that I have here is i need have to setup portforwarding/NAT from outside to inside network where i have my Controllers, the easy way so, is to nat public IP to internal VRRP IP address, 

what do you think? 

 

2) ASE you shared is for AOS8, however, I have AOS6 in place, bit similar? only take notes? 

 

1. Only a backup server is supported for redundancy.

 

2.  It is similar.  There is a VIA validated reference design guide based on ArubaOS 6.x here:  https://community.arubanetworks.com/t5/Validated-Reference-Design/Virtual-Intranet-Access-VIA/ta-p/510246

I went through VRD in leaned a lot from it, 

 

one more question here, I opted to use IKEv2 with x.509. 

this cert must be public or private? what is the best practice regarding certs? 

 

Thank you colin!

Your clients must trust the CA that issues the client-side certificates.   If you manage all of your endpoints using AD, that would be your internal CA.  Client Certificates are easily distributed via autoenrollment.  If you do not manage all of your endpoints, you will have to figure out how to distribute client side certificates to non-domain endpoints.  For the majority of organizations this has to be a private CA issuing certificates to clients.  If you haven't already, I would start with username and password, instead of diving into client-side certificates immediately.

Hello Collin, 

this is exactly what we did, we end up by using EAP-PEAP, so no client cert is needed (because there is phone without internal CA).

one thing I would like to mention here, under 

Advanced services > VPN services > IPSEC

am I supposed is it fine to keep: IKE SERVICE CERTIFICATE: NONE ? 

 

Do not change that parameter.

Well noted,
I'll keep it default (NONE).
Thank you for help !!

Setting VIA seems to be difficulte,
i spend more than 4 hours with TAC to make that setup.

I'm getting 2 different error with 2 cases:

- Error 89749, when i keep IKE cert as NONE
- Error 7608, when i select IKE Cert as "my captive portal cert (public)".

the second can't find any related article about it,

Collin can i PM you the case number and try to help TAC on that?

To be honest, if you setup VIA  with PEAP you do not have to manipulate certificate settings.  What makes you  need to manipulate that certificate screen?

Here is something 

let's focus, on the case where IKE server cert field is "NONE", 

I m getting error 8949, and I believe that all other parameters are fine and correctly setup (also verified by TAC)

from firewalling side, I have 443 UDP4500, UDP500 forwarded to master controller, 

what might be the source of that error code ? 

 

 

EDIT:

 

What exactly are you trying to do?

 

I m using AOS6 and attached some screenshots 

- via vpn pool created

- User profile created 

- Auth profile created 

- Conn profile created 

- Assign conn profile and via pool to user profile

- Assign auth profile to the conn profile

 

 

Okay.  What are you trying to do?  You want to authenticate via users to an AD infrastructure over radius?

Correct, VIA users to connect against AD using their username/password 

 

Regards,

Thanks.

Enable "Pap" in authentication protocols (you will also have to enable PAP in the service on your radius server).

In your connection profile, make Ike v2 and ike policies default.  Also uncheck ikev2 in the same profile.

In the via authentication profile, make the authentication profile pap.

 

Try to authenticate after that.  Start with those simple configurations.

 

 

 

The options you suggested are the ones I did and everything works fine, 

I'm now doing IKEv1 with MFA, 

In your previous comment, I saw that you didn't recommend the use of VRRP in for master/local in the same subnet, however in a document

is this something tied to AOS8? 

 

There are a number of instances where VIPs behind a firewall do and do not work, and they are not fully documented.  I would personally hesitate to recommend it, as a result.

 

EDIT:  If it works for you, use it.   I personally would use literal ip addresses so that during times of troubleshooting I am fully aware of what my users are connecting to so that I can resolve any issues.

I think I'll update my setting to use that, 

- For the master controller, I have VPN pool: 172.16.10.0/24

- The local controller I have VPN pool:  172.16.20.0/24 

- Firewall to nat/port forward from outside to VRRP ip address.

So under Connection profile/ VIA servers: I'll have only one entry 

Hostname/IP Address:

vpn.domain.com 

Internal IP Address:

10.10.xx.xx (my vrrp IP address)

 

with that been said, if the user is terminated in master the user will take an ip@ from 172.16.10.0 

and if user is terminated in local, inner ip will be from 172.16.20.0

 

 correct scenario? 

---

@MandP wrote:

Here is something 

let's focus, on the case where IKE server cert field is "NONE", 

I m getting error 8949, and I believe that all other parameters are fine and correctly setup (also verified by TAC)

from firewalling side, I have 443 UDP4500, UDP500 forwarded to master controller, 

what might be the source of that error code ? 

 

 

---

To be clear, you are asking me under what circumstances if you try to change that field it gives you an error.  I don't know.  I suggest you ask them to help you figure it out from scratch a basic configuration just to authenticate username and passwords against a radius server and grow from there...

what about Master/local running VRRP, in this case, should we terminate VIA user VRRP ip address?


192.168.100.1 192.168.1.1 jpg to pdf