Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Any Aruba/VIA solution for pre-logon

This thread has been viewed 9 times

  • 1.  Any Aruba/VIA solution for pre-logon

    Posted May 11, 2020 11:39 AM

    Hey

     

    Is it possible to connect to the VPN tunnel before logon? (using the device certificate (system context) and not the user certificate)

     

    (Windows 10)

     

    Garp



  • 2.  RE: Any Aruba/VIA solution for pre-logon

    Posted May 11, 2020 01:35 PM

    EDIT:

    Please see here:

    https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-Domain-Pre-connect-in-VIA-and-how-does-it-work/ta-p/184550



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile



  • 3.  RE: Any Aruba/VIA solution for pre-logon

    Posted May 13, 2020 01:23 AM

    Hey

     

    Thnx for the answer

     

    I do have enabled the domain preconnect (set to 1)

     

    I'm able to connect to the VPN when logged on - but the domain preconnect does not work.

     

    (domain preconnect creates its own profile using this profile)//

     

    Where is this profile created? (in registry? - and how do I troubleshoot this?)

     

    Thnx in advance.

     

    Garp



  • 4.  RE: Any Aruba/VIA solution for pre-logon

    Posted May 29, 2020 02:38 AM

    Anything new in this case? iv got the same problem.

     

     



  • 5.  RE: Any Aruba/VIA solution for pre-logon

    EMPLOYEE
    Posted May 29, 2020 01:20 PM

    If you follow the guide on this link:

     

    https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-Domain-Pre-connect-in-VIA-and-how-does-it-work/ta-p/184550

     

    It should work as described. My personal thoughts on it, use VIA 4.x (the latest for windows) and make sure the windows pc is domain joined. It will not work without a domain-joined PC. 

     

    I'm currently writing a detailed post about this, but it's not ready to share for now. 



  • 6.  RE: Any Aruba/VIA solution for pre-logon

    Posted May 30, 2020 11:28 AM

     

     

     

     



  • 7.  RE: Any Aruba/VIA solution for pre-logon

    EMPLOYEE
    Posted May 30, 2020 01:00 PM

    can you share your connection profile? 

     

    Attached is mine from a test. 



  • 8.  RE: Any Aruba/VIA solution for pre-logon

    Posted Jul 07, 2020 07:41 AM

    I have a similar problem. 

    VIA is configured with IKEv2 and MSCHAPv2, not with TLS. 

    When the user is logged in, Windows credentials are used to establish a tunnel automatically. But when the user logs off I can't see any connection attempt in the controller log. (Enabled logging level debug)

     

    My connection profile:

     

     

    !
aaa authentication via connection-profile "via-mschapv2"
    server addr "my.dns.name" internal-ip X.X.X.X desc "wlc1" position 1
    auth-profile "via-auth.mschapv2" position 1
    ikev2-policy "2001"
    ikev2-proto
    ikev2auth eap-mschapv2
    no save-passwords
    dns-suffix-list "domain.local"
!

     

     

     I played around with different settings, like save-password, to no avail.

    Auth Profile:

     

     

    aaa authentication via auth-profile "via-auth.mschapv2"
    default-role "VIA-User"
    server-group "DOT1CPPM"
    radius-accounting "DOT1CPPM"
    auth-protocol mschapv2
!

     

     

    Until now I only tested with the VIA 3 client, because I couldn't find any Release Notes about version 4.  Found it

     

    With a logged on user everything works fine, just Domain Pre-Login doesn't work at all.

     

    Edit:

    I saw one single authentication attempt in ClearPass one time the local user was logged off. But I was not able to replicate it.

    In it, I could see that the computer was trying to authenticate itself, without a user.