Wireless Access

Hello

I configured the VIA

And its connecting but i just got access to the internal ip address of the controller nothing else more... and well internet because i got split tunneling but i got no access to the internal network....

On the connection profile i introduced the tunneled networks which are my internal networks right?

Also on the profile that im getting which is a derived profile called ingenieria i got in it a firewall rule that got all to all rule

On that rule i also put L2TP pool i got the pool configured

And also on the via profile i got the profile configured

What else im missing?

Ah yeah does this has support for windows 8? on my windows 8 desktop didnt work.... but it works on my windows 7 machine....

On my windows 8 i get an error... and it wont let me connect...about a ikesmp

Cheers

Carlos

So, if the VPN pool that you are using to assign your clients ip addresses is fully routable in your network, you're good.  If it is NOT fully routable, you need to add a src-nat rule at the end of firewall policies of the via user:

http://community.arubanetworks.com/t5/VIA-and-CSS/Issue-with-VIA-in-route-mode-NAT-works-fine-Any-suggestions/m-p/37944/highlight/true#M125

Nice Collin! thank you its working now...

I got a few more questions

1-The other issue im having is that  when im accesing the via webpage for the download of the VIA for a new machine its not autodetecting correctly my OS of 64bit... it always says that is a 32bit when is not... so it downloads the incorrect file...

I had to manuallly download it... is there a way to fix this? or is something im doing wrong?

2-If i got 2 intenet connection in my company and i got 2 profiles for each one... one for the ISP 1 plugged to the firewall and the other for the second ISP plugged to the firewall... is there a way that the VIA if he cannot connect to one he will automatically try using the second profile to connect? is that possible?

As far i see the VIA is a really good in the way for hte user... really GOOD user experience... you actuallly dont get notice you are connected.. it does not even show in the icon tray or anywhere.... its like going to the office and connecting to the wired or wireless conection.... this is a good plus, because i had some clients asking me that they wanted a ssl or vpn client that magically connect and didnt appear anywhere so it didnt confuse the user and via is about that... with the ssl client of the firewall brand we sell you dont have that option.

Also the derived roles does a good job with the integration of the firewall policies of the WLAN and remote access.

Anyways looks good on windows... now need to test it on IPAds, tablets, and androids....

1. Currently OS detection is not properly implemented. It actually detects the browser version. I guess you are using a 32 bit browser on  64 bit machine.

In the latest VIA we have solved the issue by providing link to all installers.

2. You can use two different VIA controller entries in the same connection profile, if both IPs are on same controller.

     If both IPs are on different controller you have to have both connection profiles exactly same and add both controller entries in connection profile on both controllers

Let me know if you have any issues.

1. Currently OS detection is not properly implemented. It actually detects the browser version. I guess you are using a 32 bit browser on  64 bit machine.

In the latest VIA we have solved the issue by providing link to all installers.

2. You can use two different VIA controller entries in the same connection profile, if both IPs are on same controller.

     If both IPs are on different controller you have to have both connection profiles exactly same and add both controller entries in connection profile on both controllers

Let me know if you have any issues.

Hello vpatil.

I downloaded the lastest firmaware avaialable  of the via

I changed the name  of the 64bit to the actual name just at the end i put 64bit i don tnkow if thats the issue?

The other thing

I enable the SSL fallback and it says its on beta???

Will this fallback works on IOS, androids???

Another question

What androids are compatible with this? it seems my phone is not compatible i got  a samsung galaxy ACE android verion 4.04

I downloaded the lastest firmaware avaialable  of the via

I changed the name  of the 64bit to the actual name just at the end i put 64bit i don tnkow if thats the issue?

I didnt get this question.

The other thing

I enable the SSL fallback and it says its on beta???

What is the AOS version? In some AOS version it says it is a beta version. We had bug for this.

Will this fallback works on IOS, androids???

SSL fallback works on Androd and iOS devices.

Another question

What androids are compatible with this? it seems my phone is not compatible i got  a samsung galaxy ACE android verion 4.04

Aruba VIA is supported on Android running Ice Cream Sandwich (4.0.2) onwards.

1-I got the lastest one

  6.1.3.5 AOS Version and its says its a BETA when i enabling it

2-Aruba VIA is supported on Android running Ice Cream Sandwich (4.0.2) onwards.

Answer: my cellphone is android 4.04 and it doesnt work :( it says its not compatible! it shoudl work i guess

3-When i connectig to the arubaipaddress/via i authenticate then it tell me that my Operating system is a 32bit when its a 64bit...

I already uploaded the lastest via 2.1.0 2.34806

1-I got the lastest one

  6.1.3.5 AOS Version and its says its a BETA when i enabling it.

I guess its a bug in that particualar AOS version. 

2-Aruba VIA is supported on Android running Ice Cream Sandwich (4.0.2) onwards.

Answer: my cellphone is android 4.04 and it doesnt work  it says its not compatible! it shoudl work i guess.

Oops missed to mention earlier, does your phone android kernel version is Kernel version: 3.0.8? If so it should work else report to Aruba support.

3-When i connectig to the arubaipaddress/via i authenticate then it tell me that my Operating system is a 32bit when its a 64bit...

I already uploaded the lastest via 2.1.0 2.34806

It is wrongly implemented or its a bug , it detects the browser version, make sure u use 64 bit browser as well.

Hello Vpan thanks you very much for answering soo fast!

Well you said in earlier message that the issue with the browser was fixed that i didnt need to use the 64bit browser.   If you do well we will need to advice clients that they must use the 64bit browser....

My kernel version is 2.6... so i guess mine is not supported then...

Anything else i should tell the client? besides that information?

Nothing else.

---

@NightShade1 wrote:

Hello Vpan thanks you very much for answering soo fast!

 

Well you said in earlier message that the issue with the browser was fixed that i didnt need to use the 64bit browser.   If you do well we will need to advice clients that they must use the 64bit browser....

My kernel version is 2.6... so i guess mine is not supported then...

Anything else i should tell the client? besides that information?

 

---

You can fix the browser detection issue by uploading a new VIA page using the HTML in the post here:  http://community.arubanetworks.com/t5/VIA-and-CSS/repost-of-the-useful-code-snippet-for-client-autodetection/m-p/21704/highlight/false#M27

ArubaOS 6.2 will have the fix to the VIA detection page.

Thanks Collin

Via is working Great on windows...

But im having problems setting it up in MAC

The problem i got is that i cannot forward that i mean the IP Protocol 50.

Do i need to give it a total IP , i dont think you are able to do that in any firewall..   how do you overcome this? has anyone do it in a port forwarding mode and mke it work with mac?

You just have to permit IP protocol 50.  What firewall is this?

A fortigate

When im dong port forwarding i just got option of TCP or UDP

i could on the firewall rules permit portocol IP to the internal network... but it wont be forwarded to the controller? im  kind of confuese to be honest...

You do need to forward it.  Strangely enough, the fortinet VPN client needs these protocols http://www.juniperforum.com/index.php?topic=6591.0

As far i understand here

IP protocol 50 is ESP and IP protocol 51 is AH.
These are not ports but protocols in the IP suite.
To pass IPsec you allow ESP (or AH depending) and UDP/500 (IKE)
UDP/4500 is for NAT-T (NAT Traversal) which solves ESP (or AH) going through NAT

which mean by opening port 4500  it will let in also the ip protocol 50.... so i don t need to do that it will do it automatically?

Howyou do it on the firewallls you use Collin?

---

@NightShade1 wrote:

As far i understand here

 

IP protocol 50 is ESP and IP protocol 51 is AH.
These are not ports but protocols in the IP suite.
To pass IPsec you allow ESP (or AH depending) and UDP/500 (IKE)
UDP/4500 is for NAT-T (NAT Traversal) which solves ESP (or AH) going through NAT

 

 

which mean by opening port 4500  it will let in also the ip protocol 50.... so i don t need to do that it will do it automatically?

 

Howyou do it on the firewallls you use Collin?

---

UDP/4500 is NAT-T

That is different from ESP (encapsulating security payload)

Which is also different from AH

All three must be allowed.  Check out the Microsoft Vanilla explanation here:  http://support.microsoft.com/kb/233256

 The firewall should be able to permit "protocols" as well as UDP and TCP ports.

WEll if that true then i must be doing something else wrong..

I got the windows client working perfectly with ssl fallback and everything and its awsome...

Now i just missing MAC and IPADS

I already port forward the ports port udp 500, 1701,  tcp 1723, udp 4500, tcp 443

My boss was trying to connect via a mac or his ipad but he said that he couldnt... he cound not even pass the part of the authentication....

I am using pap for authentication and on the Network policy on the NPS i got selected PAP.

i dot know if im missing something??

Here is the config...

Here is the relevant config :

aaa authentication via auth-profile "Alternetworks_VIA"
server-group "OptiWifi_srvgrp-xam55"

aaa server-group "OptiWifi_srvgrp-xam55"
 auth-server NPS
 set role condition Filter-Id value-of

aaa authentication via connection-profile "Alternetworks_Connection_Profile"
   server addr "200.75.219.10" internal-ip 172.16.3.221 desc "Alternetworks_Office_Controller" position 0
   auth-profile "Alternetworks_VIA" position 0
   tunnel address 172.16.3.0 netmask 255.255.255.0
   tunnel address 172.29.0.0 netmask 255.255.255.0
   tunnel address 172.16.2.0 netmask 255.255.255.0
   tunnel address 172.31.3.0 netmask 255.255.255.0
   tunnel address 10.10.100.0 netmask 255.255.255.0
   split-tunneling
   ikev2-policy "10004"
   no windows-credentials

aaa authentication via web-auth "default"
   auth-profile "Alternetworks_VIA" position 0

user-role Ingenieria
 pool l2tp VIA
 via "Alternetworks_Connection_Profile"
 access-list session allowall

user-role default-via-role
 pool l2tp VIA
 via "Alternetworks_Connection_Profile"
 access-list session allowall

aaa authentication via web-auth "default"
   auth-profile "Alternetworks_VIA" position 0
!
aaa authentication via global-config
   ssl-fallback-enable

Now i dont know why it says IKEv2 10024 as i didnt enable IKEv2 its not with the checkbox.... its clear... and as far i read MAC doesnt work with IKEv2 yet it just work with IKEv1....

Any help is appreciated... i really want to finish with this already as i really want to start showing this to clients... but i need to have it working with Windows, IOS and Androids....

You need to allow l2tp VPN ports in on the firewall, period.  It will not work without those.

Collin

those ports are already forwarded

Ports Needed for L2TP VPN

- TCP Port 1701
- UDP Port 500

Both already forwarded

Also

Ports Needed for IPSec/ESP

- UDP Port 500

Already forwarded

Second... i had UDP 1701 instead of TCP 1701

Will come back later with the results, qheni can get access to one mac or ipad...

As for my config it is okay? or do im missing something?

You need to create a custom ip service to allow protocol 50 and 51   http://www.scribd.com/doc/87331764/259/Configuring-custom-services

REally appreciate your effort in helping Collin!

But that is for the firewall rules not for the  port forwarding...

Okay i got it setup like this.

I got what Fortigate calls a Virtual IP  okay?

Now with this virtual ip i map a public ip address with a internal ip addresss

Addicional i can port forward so, so for example i have have an ip address let say 190.2.5.6 and have different services to different internal servers using it for example

190.2.5.6 mapped to 192.168.1.5 on port 80

190.2.4.6 mapped to 192.168.1.6 on port 10443

Now for the Remote AP i got this

190.2.4.6 mapped to 192.168.1.20(wireless controller ip udp 4500

190.2.4.6 mapped to 192.168.1.20 udp 69

For VIA

190.2.4.6 mapped to 192.168.1.20 tcp 443

190.2.4.6 mapped to 192.168.1.20 tcp 1701

190.2.4.6 mapped to 192.168.1.20 tcp 1723

190.2.4.6 mapped to 192.168.1.20 udp 500

Now thats what i got there...

When you creating a port forward there is no option of IP you just can select TCP or UDP protocols nothing else...

About the custom ports thats for the firewall rule not for the virtual IP which map one external IP with an internal ip

in the Firewall Rule i got a virtual ip like this

PORT WAN!

ALL

PORT INTERNAL

Virtual IP GROUP

PORTS Allowed

ANY

For now i got the ports as ANY becasue im testing...

So in the firewall rule im allowing all the ports... if i were blocking ports yes i can create the ip protocol with the custom port for the firewall rule but thats just for the firewall rule not for the virtual ip which port forwards.

You got what i mean?

When i testted i had udp 1701 im hoping thats the mistake... which i just changed to tcp 1701... and as you said it wont work if i dont have the L2tp ports forwarded... and i didnt because i had udp 1701 udp  instead of tcp  1701 which is the port i need!

The sad thing is that its sunday and i dont own an ipad :P so  icant test! :(

As far i undersntad what i got should be enough i mean  ESP is a  protocol, not port... so i cannot forward it.   But i need to let it in, in the firewall rules that protocol. and im doing as i got ALL ports(for the testing) the i will close all that, after i got everything working...

I dont worry too much about it as its just a remote LAB we got in our office not production network or anything...

The TAC help me to figured the problem here is the resolution

Okay the problem is that on the vpn profile well i configured it we are okay there...

But you NEED for some reason in the via authentication profile you need to configure the default profile... if you use a via authentication profile that you configured by yourself... it doesnt work for ipads... but it do work for windows and androids....

Now you need to configure the via authentication profile the default one to make it work... otherwise it wont work...

I don tknow if thats a bug or if it should be configured that way.

Anyways now it works

Cheers

Carlos

---

@NightShade1 wrote:

Nice Collin! thank you its working now...

I got a few more questions

1-The other issue im having is that  when im accesing the via webpage for the download of the VIA for a new machine its not autodetecting correctly my OS of 64bit... it always says that is a 32bit when is not... so it downloads the incorrect file...

I had to manuallly download it... is there a way to fix this? or is something im doing wrong?

 

2-If i got 2 intenet connection in my company and i got 2 profiles for each one... one for the ISP 1 plugged to the firewall and the other for the second ISP plugged to the firewall... is there a way that the VIA if he cannot connect to one he will automatically try using the second profile to connect? is that possible?

 

 

As far i see the VIA is a really good in the way for hte user... really GOOD user experience... you actuallly dont get notice you are connected.. it does not even show in the icon tray or anywhere.... its like going to the office and connecting to the wired or wireless conection.... this is a good plus, because i had some clients asking me that they wanted a ssl or vpn client that magically connect and didnt appear anywhere so it didnt confuse the user and via is about that... with the ssl client of the firewall brand we sell you dont have that option.

Also the derived roles does a good job with the integration of the firewall policies of the WLAN and remote access.

 

Anyways looks good on windows... now need to test it on IPAds, tablets, and androids....

 

 

---

Try the HTML in the thread here:  http://community.arubanetworks.com/t5/VIA-and-CSS/repost-of-the-useful-code-snippet-for-client-autodetection/m-p/21704/highlight/false#M27