How to configure VIA on Aruba Controller

MVP
MVP
Requirement:

 

VIA (Virtual Intranet Access) is a Remote access solution offered by Aruba.
Clients can use the VIA app on Windows/MacOS/iOS/Android/Linux to establish a secure VPN connection with the controller and access the corporate network from remote locations. 

Below are the requirements to establish a VIA connection. 

  1. Mobility controller with VIA license installed. 
  2. VIA app installed on the client.
  3. UDP 4500 and TCP 443 allowed between the client and the Mobility controller.


Solution:

VIA clients can connect with both ikev1 and ikev2 authentication.

With ikev1, phase1 authentication is done using PSK or x.509 certificates.
Phase 2 authentication requires username and password for authentication.

With ikev2, there is single phase of authentication and the eap termination needs to be on the external RADIUS server.
EAP-MsChapv2 or EAP-TLS or EAP-GTC or user-cert can be configured.


 



Configuration:

1. Configure the l2tp IP pool for IP assignment for VIA clients. 

  • This IP needs to be routable in order for the VIA client to access the corporate network.
  • VIA clients will be assigned with IP address from this range. 
ip local pool "via" 9.1.1.1 9.1.1.100


2. Configure RADIUS-server. 

aaa authentication-server radius "CPPM"
    host "10.23.194.150"
    key e28e7b9f020f09761731d2fa904a701e0da243b56cf279b2
!


3. Configure AAA server-group.

  • Map the RADIUS-server to the server-group. 

aaa server-group "CPPM_RADIUS"
 auth-server CPPM position 1
!

 

4. Configure VIA authentication profile. 

  • Map the server-group and the user-role to the VIA authentication profile. 
aaa authentication via auth-profile "CPPM"         
    default-role "via-role"
    server-group "CPPM_RADIUS"
!

 

5. Configure VIA connection profile

  • Map the VIA authentication profile to the VIA connection profile.
  • Configure the server address which is the (public) IP reachable from the client.
  • Specify the tunnel subnet (corporate network) which has to be sent inside the VPN tunnel.
  • With Split-tunneling enabled, only the corporate network traffic is sent inside the ipsec tunnel. Rest of the traffic are routed locally.
aaa authentication via connection-profile "Employee"
    server addr "10.23.197.232" internal-ip 192.167.100.1 desc "Via-Server-1" position 1
    auth-profile "CPPM" position 1
    tunnel address 50.50.50.0 netmask 255.255.255.0
    split-tunneling
!

 

6. Configure VIA Web-auth profile

  • Map the VIA authentication profile to web-auth profile. 
  • When the client initially connects to download the profile, web authentication is done based on the authentication profile/server mapped here. 
  • Once it downloads the VIA connection profile, based on the authentication profile mapped in the connection profile, ipsec authentication is performed. 
  • Multiple VIA auth profile can be mapped under web-auth. In such case, clients will be prompted to choose the appropriate profile.
  • For example: Different VIA authentication profiles can be created for different departments/roles.

aaa authentication via web-auth "default"          
    auth-profile "CPPM" position 1
!

 

7. Configure the user-role with l2tp pool and VIA connection profile. 

  • "default-via-role" is the default user-role. 
  • New role can also be created based on our requirement. 
  • Map the l2tp pool and VIA connection profile to the user-role.
user-role via-role
 pool l2tp via
 via "Employee"
    access-list session global-sacl
    access-list session apprf-via-role-sacl
    access-list session allowall
!

 

8. Configure the isakmp key for phase1 authentication:

  • Navigate to Configuratiion -> Services -> VPN -> Shared Secret-> create a isakmp key.

 

9. Configure the Corporate DNS server for the client. 

 

 



Verification

Client comes up in the user-table with the inner IP address.

 

(Node5) [MDC] # show user-table 

Users
-----
    IP              MAC            Name     Role      Age(d:h:m)  Auth     VPN link       AP name  Roaming  Essid/Bssid/Phy  Profile  Forward mode  Type  Host Name  User Type
----------     ------------       ------    ----      ----------  ----     --------       -------  -------  ---------------  -------  ------------  ----  ---------  ---------
9.1.1.4        00:00:00:00:00:00  abdul     via-role  00:00:00    VIA-VPN  10.27.150.106  N/A                                         tunnel                         WIRELESS
10.27.150.106  00:00:00:00:00:00            logon     00:00:00                            N/A                                         tunnel                         WIRELESS

User Entries: 2/2
 Curr/Cum Alloc:3/26 Free:0/23 Dyn:3 AllocErr:0 FreeErr:0
(Node5) [MDC] #

 

IPsec is formed between the client and the controller. 

(Node5) [MDC] #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP      
------------     ------------     -----------         -----------         -----  ---------------   --------
10.27.150.106    10.23.197.232    9.1.1.5/32          0.0.0.0/0           UT     Apr 30 08:23:32   9.1.1.5    

 

RADIUS request on Clearpass server:

 

Version history
Revision #:
2 of 2
Last update:
‎07-20-2020 07:30 AM
Updated by:
 
Labels (2)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: