Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

Virtual Intranet Agent 

Sep 26, 2014 06:29 AM

Virtual Intranet Agent (VIA) - VIA is a software agent for Windows platforms that you can think of effectively as a software RAP for laptops. Once installed, it just disappears into the background and engages itself when needed. If the user is in the office or at home behind a RAP, the VIA client will not engage. But when the user is on the road, VIA will automatically set up an IPSEC or SSL connection to the corporate network with zero user input.

VIA integrates with the Mobility Controller in the data center, the same one that connects to branch office RAPs as well campus APs. This allows for significant consolidation including for the first time the opportunity to retire obsolete and out-of-gas VPN concentrators.

Finally, for situations where the VIA client can’t be installed, the Mobility Controller will also connect securely with existing VPN clients from all the major operating systems including Mac OS X, Windows, and Linux.

 

VIA and AOS

  • VIA software for Windows platforms integrates remote users into the Aruba Architecture

Components: Aruba Controller with (optional) PEF-V license for firewall enforcement

  • IT defines security policy for the network edge once – it is enforced no matter how the user accesses the network

VIA and iOS

SUNNYVALE, Calif.--(BUSINESS WIRE)-- Aruba Networks, Inc. (NASDAQ:ARUN - News) today announced that its Virtual Intranet Access (VIA) App for iPad, iPhone and iPod touch is now available on the App Store. The Wi-Fi-aware VPN application enables seamless security on both public and private wireless networks. VIA builds on Aruba’s Remote Networking portfolio, which offers automatic configuration of wireless device settings, requiring zero-touch for the end-user.

Where do I get the corporate VIA client?

https://via.arubanetworks.com/via

Where do I connect to corporate?

via.arubanetworks.com

For Apple iDevices

VIA is available from the Apple app store: http://itunes.apple.com/us/app/aruba-networks-via/id481378525?mt=8

Which server to I point it to?

via.arubanetworks.com

 

VIA Major Features

  • Auto-connect – Automatically detects when a network connection is available, and if the client is not on the “Trusted” corporate network automatically connects back to the central site
  • SSL fallback – If IPsec is not available because of a firewall, the client will automatically attempt to run with IPsec encapsulated in SSL
  • Simplified troubleshooting – Extensive built in diagnostics and logs to speed troubleshooting
  • Leverages single sign-on – Can take advantage of Windows credentials and automatically authenticate the user
  • WZC control – Provides IT staff the ability to configure wireless settings for client laptops as a part of the profile

 

VIA changes in AOSv6.1

Previously, no software license key was needed to use VIA – it was included for free in the base operating system. Beginning with AOS 6.1, the PEFV license will be required to use VIA. Non-VIA VPN functionality continues to be part of the base OS, and for non-Aruba VPN clients you will still only require the PEFV license if you want role-based access control and PEF functionality for VPN sessions.

New in AOSv6.1 is the ability for the controller to detect the operating system that has logged into the VIA portal and automatically download the correct version for the client. This functionality is currently broken, however. Please see bugs here:

Bug 54707 - WebUI does not present correct download link for via users logging in from Mac OS X machines

Bug 43413 - VIA download page and WebUI page need to present link for 64 bit VIA

To Manually download the 64-bit and osx platforms, please use:

  • https://<controllerip>/via/download?os=64
  • https://<controllerip>/via/download?os=osx

p.s., via.arubanetworks.com has a custom welcome.html page that will properly detect your windows or mac version (report bugs with this to Carlen Hoppe)

 

Why are we making this change?

  • Requiring the PEFV license will lead to increased customer satisfaction. Customers are generally happier with VIA when they have the flexibility of role-based access control, mapping VIA users into different roles, and enforcing firewall rules. We have had a few problems in the past few months where customers complained about this issue – adding the PEFV license in all cases has resolved their complaints.
  • Some customers actually felt that because VIA was free, it must be a product that Aruba didn’t take seriously and would not invest in. “Free” made them think it was not enterprise-class.
  • VIA has become quite popular with customers, and there are many RFEs coming in for additional feature enhancements. Adding the license requirement will let us staff the VIA engineering team appropriately, both by providing a revenue stream and also by letting us measure how many customers are actually using VIA. Today we have no idea how many customers are using VIA.
  • The PEFV license is relatively low-cost. It should not be a big stretch for the budget to add this license to an order.

 

What about customers who are already using VIA?

  • Existing VIA customers who do not have the PEFV license should be offered a free PEFV license for their VIA controllers. Order this by placing a $0 sales order. The number of existing VIA users is still very small, and most of them we know of already have the PEFV license, so this should not overwhelm our sales teams or partners.
  • Customers without PEFV who upgrade to 6.1 will find a PEFV eval license installed that is valid for 30 days. This should provide time to obtain a permanent license.

 

What’s ahead on the VIA roadmap?

  • A lot! VIA is a core Aruba product and we are committed to making it a world-class piece of software.
  • We have already delivered 64-bit Windows support, and Mac OS X is on the support website. We are also working on mobile platforms such as IOS andAndroid.
  • Smart card support
  • “Domain Pre-Connect”, which establishes a connection based on machine credentials so that a Windows domain controller can be reached
  • IKEv2 support including new authentication methods such as EAP-TLS and EAP-PEAP
  • Post-logon scripting
  • Additional customization
  • Ability to upgrade VIA independent of the ArubaOS version on the controller
  • …and more!

How many VIA clients can the controller support

  • The number of concurrent VIA client is equivalent to the number of IPSEC tunnel supported by the platform.

 

Windows Version

Windows 8 is the same as Windows 7 in this regard, so no need to specify exact version

 

Documents

(Presentation - VIA overview

 

Misc Info

  • PEFV Licensee is not required under AOS 6.1

 

VIA with static IP

  1. Put each user into a different role
  2. Assign a different IP pool, containing one address each, to each role

That’s the only way to do it today.

 

Domain Pre-connect feature

The simplest steps to make this feature work are.

  • Make sure you have network connectivity to the client when user is logged off.
  • Configure VIA connection profile for IKEv2+User certificates. (The feature works only with IKEv2 as of now).
  • The certificates (or computer account) have to be stored in machine store.
  • Establish at least one normal VIA IPSec connection when user is logged into the machine. (domain pre-connect creates its own profile using this profile).
  • Now log off the machine domain pre-connect would be initiated.
  • In controller you can see, the intial IPSec connection will teared off and new connection will be triggered. (Use “show user” command).

IKEv2+Mschapv2 (without certificates) also work.

 

Q&A

  • Q. Is there a VIA client for Linux?
    • A. There are no plans for Linux right now. VIA for Android is being built and a derivative for Linux may be possible.
  • Q. Can we authenticate a VIA client using a device certificate in addition to Username/Password on iOS? Token wont work because it has to be transparent.
    • A. Using IKEv1, you can use a certificate for IKE phase 1 followed by a username/password for Xauth. The certificate will be found in the device certificate store.
  • Q. Does VIA support smart card access?
    • A. Yes, smart cards and machine certificates are supported.
  • Q. How do we prevent access to https://<controller> while allowing access to https://<controller>/via?
    • A. Configure the ACL to block access to tcp port 4343 and allow access to port 443.
  • Q. Which client support split-tunneling?
    • A. Windows and iOS clients supports split-tunneling. MAC 1.0 VIA client does not support split-tunneling.

 

Statistics
0 Favorited
3 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.