Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Occasional Contributor I

Any Aruba/VIA solution for pre-logon

Hey

 

Is it possible to connect to the VPN tunnel before logon? (using the device certificate (system context) and not the user certificate)

 

(Windows 10)

 

Garp

Highlighted
MVP Expert

Re: Any Aruba/VIA solution for pre-logon

EDIT:

Please see here:

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-Domain-Pre-connect-in-VIA-and-how-does-it-work/ta-p/184550



Thank you

Victor Fabian

Pardon typos sent from Mobile

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Occasional Contributor I

Re: Any Aruba/VIA solution for pre-logon

Hey

 

Thnx for the answer

 

I do have enabled the domain preconnect (set to 1)

 

I'm able to connect to the VPN when logged on - but the domain preconnect does not work.

 

(domain preconnect creates its own profile using this profile)//

 

Where is this profile created? (in registry? - and how do I troubleshoot this?)

 

Thnx in advance.

 

Garp

Highlighted
Contributor I

Re: Any Aruba/VIA solution for pre-logon

Anything new in this case? iv got the same problem.

 

 

Highlighted

Re: Any Aruba/VIA solution for pre-logon

If you follow the guide on this link:

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-Domain-Pre-connect-in-VIA-and-how-does-it-work/ta-p/184550

 

It should work as described. My personal thoughts on it, use VIA 4.x (the latest for windows) and make sure the windows pc is domain joined. It will not work without a domain-joined PC. 

 

I'm currently writing a detailed post about this, but it's not ready to share for now. 


visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Highlighted
Occasional Contributor I

Re: Any Aruba/VIA solution for pre-logon

 

 

 

 

Highlighted

Re: Any Aruba/VIA solution for pre-logon

can you share your connection profile? 

 

Attached is mine from a test. 


visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Highlighted
Occasional Contributor II

Re: Any Aruba/VIA solution for pre-logon

I have a similar problem. 

VIA is configured with IKEv2 and MSCHAPv2, not with TLS. 

When the user is logged in, Windows credentials are used to establish a tunnel automatically. But when the user logs off I can't see any connection attempt in the controller log. (Enabled logging level debug)

 

My connection profile:

 

 

!
aaa authentication via connection-profile "via-mschapv2"
    server addr "my.dns.name" internal-ip X.X.X.X desc "wlc1" position 1
    auth-profile "via-auth.mschapv2" position 1
    ikev2-policy "2001"
    ikev2-proto
    ikev2auth eap-mschapv2
    no save-passwords
    dns-suffix-list "domain.local"
!

 

 

 I played around with different settings, like save-password, to no avail.

Auth Profile:

 

 

aaa authentication via auth-profile "via-auth.mschapv2"
    default-role "VIA-User"
    server-group "DOT1CPPM"
    radius-accounting "DOT1CPPM"
    auth-protocol mschapv2
!

 

 

Until now I only tested with the VIA 3 client, because I couldn't find any Release Notes about version 4.  Found it

 

With a logged on user everything works fine, just Domain Pre-Login doesn't work at all.

 

Edit:

I saw one single authentication attempt in ClearPass one time the local user was logged off. But I was not able to replicate it.

In it, I could see that the computer was trying to authenticate itself, without a user.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: