Wireless Access

Hello All,

I'm struggling with integrating the VIA Client back to our 620 Controller.

I have the VIA Auth Profile created. The Connection Profile is down. The Web Authentication Profile is done as well.

The User Role and Policy is built. Used Role has been associated to the Connection Profile.

I associated to a Server Group. Built to our Radius. Still would not work.

Even created another Server Group but built to the Controller's Internal Database. Still did not work.

Now is Port 443 supposed to be passed across the IPSec Tunnel the VIA builds back to the Controller's?

I downloaded the VIA Client from the Arubanetworks website and not from the Controller. 

Any ideas will be highly appreciated.

You need port 443 as well as UDP 4500 from the outside to the controller.  If port 443 is not open, you cannot download a profile from the outside.

I suspected that 443 would be required.

Thanks cjoseph. 

Will try this out on Monday and let you know.

Hey Joseph. Our Firewall rule will have to be associated with the VPN IP Address Pool I created for the VIAs right?

And unlike the Raps, the VPN IP Address Pool for the VIAs have to be routable on our Corporate LAN Network? 

---

@eosuorah wrote:

Hey Joseph. Our Firewall rule will have to be associated with the VPN IP Address Pool I created for the VIAs right?

 

And unlike the Raps, the VPN IP Address Pool for the VIAs have to be routable on our Corporate LAN Network? 

---

The Firewall rule on your permiter firewall needs to allow UDP4500 and TCP 443 inbounds to the public address of the controller.  If the controller does not have a physical public address, it needs a 1:1 NAT mapping an external address on your firewall to the internal address of the controller

The VPN Ip address pool does not need to be routable on your campus LAN for it to work

Thank you Sir!

We already have 4500 passed. Will deal with 443.

Will keep you posted.

Hi Joseph,

I finally got the VIA to work after passing TCP443 across the Internet back to our Controller after battling with it for awhile. I had to do the following below:

1. The VPN IP Address Pool created for the VIA Clients had to be routable on our Network.

2. I had to create a dummy IKE Shared Secret Key on the "VPN Services" Form. Without this Dummy Key, the VIA would not 

    establish a session. It always generated an error message saying "Failed to establish secure session".

Does the above fixes seem right to you?

I don't see any Aruba Documentation that states the above. But the Aruba Engineer says it's required.

The only issue I'm experiencing now is that I could not get the VIA to work using RADIUS 802.1X Authentication. It just wouldn't even download the Connection Profile.

Now my RAPs are using the same RADIUS Server for 802.1X Authentication and it works just fine. So why the same RADIUS Server doesn't work is beyond me.

The Aruba Engineer says that I need to have PAP Authentication enabled on the RADIUS Server's Policy. That this is a requirement for VIA 802.1X Authentication using the RADIUS Server to work.

Also, have you seen or heard about this?

However, I intend tot test this out and then see.

Look forward to hear from you.

1.  Yes to the preshared key

2.  Sorta to the routable address:  You could have put the any any source-nat ACL in the Via user role to avoid this, or you could use a routable address, like you did.

3.  PAP is a requirement for Via Authentication, yes.

We should make a VIA gotchas page for all of this, personally.

Yep I agree!

However, before we do that, let me setup the PAP Authentication first and confirm it works.

Will keep you updated as usual.

Hey Joseph,

Quick question. Is there a Limit to the number of Local Controllers that can associate to a Master?

Secondly, is there a Limit to the number of APs that can be associated to an AP Group?

A great deal of scaling information is in the Mobility Controllers 8 VRD here:  http://www.arubanetworks.com/pdf/technology/VRD_Aruba%20Mobility%20Controllers_8.pdf

Thanks Joseph.

Will keep you updated on the VIA.

Thanks Joseph.

It worked. I finally got 802.1X Authentication to work via the RADIUS immediately we enabled PAP.

However I know with PAP, Username/Password are sent unencrypted. With the IPSec Tunnel being built, I'm assuming that the Username/Password credential will be encrypted. I'm I right in assuming so?

Please see the thread here: - http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/External-Authenication-Server-MSCHAPv2-vs-PAP-on-the-proxy/m-p/26342/highlight/true#M217

"Note that passwords are NOT cleartext on the wire with PAP - they are encrypted using the RADIUS shared secret.  Assuming you chose a sufficiently strong RADIUS shared secret, it's not too bad. "