Wireless Access

last person joined: 20 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

VIA setup with IKE v1 and v2

This thread has been viewed 5 times

  • 1.  VIA setup with IKE v1 and v2

    EMPLOYEE
    Posted Oct 27, 2014 02:52 PM

    Hi,

     

    A customer is looking at setting up a trial of the VIA remote access, and initially I was thinking of a IKEv1 with machine cert then username/password as a pilot.

     

    They have asked about the possibility of non-domain devices like iPads as well, which could be an IKE v2 setup.

     

    Was just wondering if it is possible to have the two methods running concurrently or is it a case of one or the other?

     

    Any suggestions or examples of how others have done it would be appreciated.

     

    Thanks



  • 2.  RE: VIA setup with IKE v1 and v2

    EMPLOYEE
    Posted Oct 27, 2014 06:38 PM

    Are you trying to do a two factor auth by using IKEv1? 

     

    IKEv2 supports EAP-TLS which you could use across all of your clients.



  • 3.  RE: VIA setup with IKE v1 and v2

    Posted Oct 27, 2014 11:47 PM

    The iPads can also be configured with IKEv1 policies in the same way; initially authenticate with certificate and then username/password.    If you also want to use IKEv2, you'll need two Connection Profiles as you have to choose whether to use IKEv1 or IKEv2 on your VIA Connection Profile.

     

    Or, as Tim suggests, if you aren't interested in the two-phased auth approach of IKEv1 or require IKEv2, you couled use PEAP (EAP-TLS or EAP-MSCHAPv2) or even just X.509 certificate or username/password.

     

     



  • 4.  RE: VIA setup with IKE v1 and v2

    EMPLOYEE
    Posted Oct 28, 2014 05:09 AM

    basically wanted the two factor with IKEv1, but they've asked about acomodating iPads as well.



  • 5.  RE: VIA setup with IKE v1 and v2

    Posted Oct 28, 2014 08:54 AM

    Using dual-auth options with IKEv1 works on iPads as well, you just need to have a way to get the certificate onto the iPad.

     

     



  • 6.  RE: VIA setup with IKE v1 and v2

    EMPLOYEE
    Posted Nov 11, 2014 06:12 PM

    So in terms of a policy in NPS to accomodate this machine cert first then the username/password, what would this need to look like?

     

    Is it just a case of allowing PAP?

     

    Just wondering if anyone has an example of NPS policy to share?

     

    I have sort of stitched myself up here, by offering this as a trial to one of our global Aruba customers.  Hopefully will prove to be another nice feather in the cap !! ;-)



  • 7.  RE: VIA setup with IKE v1 and v2
    Best Answer

    Posted Nov 11, 2014 10:39 PM

    NPS cannot authenticate the user-cert portion of this (it is not EAP based); only phase 2 the XAUTH/PAP authentication.

     

    The controller will authenticate phase 1 (user-cert) by specifying the issuing CA under "CA Certificate Assigned for VPN-Clients" under the VPN Services configuration.   Only clients that present a certificate issued by a CA in this list will pass this phase of authentication.    Phase 2 of authentication is done with XAUTH.  You can use NPS for this; ensuring that PAP is the allowed authentication type.