Wireless Access

Hi

I have a 7210 controller running the VIA client for VPN access. 

working fine; except when they’re wired internally to our network, it says untrusted and launches a vpn session on our LAN. 

it can get 443 traffic to the controller from our LAN; anything else it needs to make this realise it’s a trusted network?

It must not be able to connect to the Internal IP parameter in the Via Connection profile to be marked untrusted..  If there is no internal ip address, configured in the Internal IP parameter of the server profile, it will assume it is untrusted.

Yes there is a internal IP set in the profile ... I can even see the laptop try to connect to the inside interface of our controller when VIA loads up on the LAN ... it gets to it but seems to not like the response or not get one at all. 

Is there anything I need to set on that interface? Ironically when it thinks it’s untrusted, it completes a VPN tunnel to the very interface it’s trying to prove it’s on a trusted network to. Seems odd it can’t get a HTTPs connection to it but it happily creates a VPN tunnel to it 

The server ip address and the inner ip address are supposed to be two different ip addresses.

Oh I see. So if you’re using the same IP for management and internal IP; do I need to do anything different? Or should I change my server IP to next IP up?

Is your comment at all related to the need for this command:

controller-ip ipsec aruba-vpn

Concise that I need the management address (controller-ip) and the inside address to be the same

Bit confused on this one to be honest

my users can put in DNS when on our LAN and download profile ... this works fine when internal / external to our network. Creates VPN tunnel fine. 

only problem I have - VIA cant tell when it’s on the trusted network now. But the ‘internal-ip’ that is set in the profile is the same as our inside address where users download the profile ... clearly the external one is a public facing one and on a different interface in this controller. 

a little lost on this one ... I can see users HTTPS traffic getting to the right IP on this controller ... but whatever response the VIA client gets is not satisfying this check 

The VIA connection profile a VIA servers: area that allow you to add a server, and then an internal server.  The server would be the public ip address of the VIA controller that users would connect to from "outside".  The internal server is the private address of the via controller that the VIA client would attempt to connect to to determine if the user is on an trusted network or not.

Have you seen the VIA Validated Reference Design Guide here?  https://community.arubanetworks.com/t5/Validated-Reference-Design/Virtual-Intranet-Access-VIA/ta-p/510246

Thank you for sending this over

im using version 8; the guide is written for version 6 so not sure if that matters?

the guide says the internal-ip set in the VIA should be internally accessible for the VIA client to determine if it is on the internal network. My users can definitely get to this IP address on port 443. However they don’t seem to be getting a response that the VIA client is happy with. 

my controller-ip is the same address as this internal IP I’ve set. It’s internally accessible ... can’t work out why the controller isn’t sending a valid response to the ViA client?

Should I be using an additional internal IP for management as well as the internal IP for data? Would prefer to keep them the same but can’t work out why it won’t work?

Does your VIA controller have a public ip address?

Yes it does

i have 2 interfaces setup on controller

1 - internal IP on 10. Range doing inside traffic and management

2 - external public IP (which gets NAT’d by our external firewall doing the outside traffic to the internet

i have 2 routes ... all of the 10 internal address space goes inside and everything else goes out to the internet. 

Our VPN works fine and there’s no issues with it. We just have 2 problems; when users are on LAN the VIA client thinks it’s on a untrusted network. 

we also have a problem where we add ‘certificate criteria’ to the profile and it ignores this and still shows all our certificates for users to choose from instead of the criteria we add to filter them

From the VIA VRD:

" the VIA client automatically detects whether the user is connected
to a trusted or untrusted network by sending a HTTPS HEAD request to the
internal IP of the controller <https:// <controller’s internal ip>/via >. If the VIA
client receives a HTTPS response with the expected X-VIA header, the user is
considered to be on a trusted network. An IPsec connection is established only
if the user is connected to an untrusted network. "

Please read the VIA vrd to get an understanding of how it should work.  It does not matter if it is ArubaOS 6.x or 8.x, the same concepts apply/

Thanks - but our controller isn’t responding and we are setup like you say. 

does it matter our management and data is on same interface internally? Just wondering why it’s not responding to our VIa users?

All that matters is what is in the VIA connection profile has in them and what users can or cannot reach.  If users can reach the "internal ip address" defined in the VIA connection profile over https, it will be considered trusted.  Management and Data have no meaning in this context.  If it is not functioning that way, please open a TAC case.

Ok thanks