Environment : VIA client --> Controller --> Radius server authentication
Details:-
------------
VIA clients were unable to establish connection to the controller and authenticate against CPPM server. From security logs; we could notice "username" being blank for some reason.
VIA version:- 2.1.1.3
Software Version: 6.3.0.1
Debug logs output from controller:-
------------------------------------------------
Jan 3 09:40:20 :103063: <DBUG> |ike| 81.135.116.209:50703-> got username=
Jan 3 09:40:20 :103063: <DBUG> |ike| 81.135.116.209:50703-> got password=******
Jan 3 09:40:20 :103063: <DBUG> |ike| 81.135.116.209:50703-> got user=, pass=*****
This issue occurs with both 32 & 64 bit builds where VIA clients were unable authenticate.
aaa authentication via connection-profile "PNL_via-connection"
server addr "lab.arubanetworks.com" internal-ip 10.10.10.19 desc "VIA Access" position 0
auth-profile "via-radius" position 0
tunnel address 10.0.0.0 netmask 255.0.0.0
split-tunneling
ikev2-policy "10004"
ike-policy "20"
no windows-credentials
lockdown-all-settings
auth_domain_suffix
controllers-load-balance
no domain-pre-connect
no validate-server-cert
dns-suffix-list "lab.arubanetworks.com"
support-email "testlab@arubanetworks.com"
ext-download-url "https://testlab.arubanetworks.com/via"
no allow-user-disconnect
minimized
There were no special info that indicates on Clear pass access Tracker towards the solution.
Use Windows Credentials didn`t make any difference as VIA clients were still unable to authenticate.
Root cause:-
------------------
Found the root cause with End point security firewall application installed on the client were causing connectivity issue for the VIA authentication.
This is the update from latest VIA and ESET endpoint security interop
•Use windows credentials work perfectly fine.
•Every two minutes tunnel gets dropped as the heartbeat messages to internal IP is treated “Detected covert channel exploit in ICMP packet Remote IP Address: Internal IP address”
Scenarios
•Installed VIA and then ESET end point security
•Installed ESET end point security and then VIA
PS: ESET end point security is running at Maximum Protection status on
•Computer
•Network
•Web and email
Find below procedure doc for the test results with regards to ESET end point security application and how to allow the VIA traffic to pass through.
Allowing VIA Virtual Adapter Connection on each connect.
1 Whenever VIA establishes tunnel, it prepares Aruba virtual Adapter. ESET detects this and displays the following to select.
1) Select Any option and then follow the instructions below.
a. Goto Advanced Setup-> Rules and Zones : Select “Do not display dialog withTrusted zone settings when changes ….” And press setup button in the trusted zone.
b. Select the zone that is related to VIA corporate network and check only the adapter type with Virtual adapter as shown in the picture below.
Press OK and Next. Select allow sharing ( This is VIA connection and you might want to share with other computers in your cop network. You can also select Strict protection).
Allowing VIA functionality (post connection).
Whenever VIA establishes tunnel, it communicates with controller by sending encrypted data to it. It also sends ICMP messages to controller and will wait for a reply from controller to see if the CPN tunnel is intact. ESET in its default configuration prevents such communication with the following message in the picture.
This post tunnel activity needs changes in the default configuration of ESET options. Follow the steps below to allow VIA functionality.
1) Select Advanced Setup from the ESET Tray menu.
2) Goto Network->Personal Firewall->IDS and advanced options
3) Expand the Packet Inspection section
4) Clear Covert data in ICMP protocol detection ( checked by default) and press OK.
Notes:-
---------
We found some interoperabilty issues between ESET total protection with VIA.
ESET Total Protection is very restrictive in a default configuration and does not allow for a smooth functioning of VIA.
The version 4 also has a default configuration of "disabling all traffic within the system" breaking the operating system's IPC mechanism.
The version 5 is less restrictive comparatively and lets VIA connect. However we have found two potential problems that mandates changes to the ESET settings for
smooth functioning of VIA. Attached Document has details.
VIA client were able to connect and authenticates fine to pass traffic after allowing VIA on the End point security Firewall application.