Either the internal database on the controller or an external authentication server can be used for authorizing the CN. If the internal database is used, add all certificate CNs to the internal database of the controller on which the VIA clients terminate. When you add the user name to the internal Add a dummy password because this password does not influence the authorization of CN by the internal database. N O T E Ensure that your authentication sever supports authorization services using only the username because not all authentication servers support this feature.
Clearpass has support for authorizing based on just the username. An LDAP server can also be used for authorization. Aruba recommends that you have a good understanding of these variables and their implication before you create custom policies. Each profile plays an important role in authenticating the users and establishing a secure connection back to the corporate resources.
The VIA client retrieves the VIA web authentication list and allows the user to select the VIA authentication profile, which will be used to authenticate the user credentials for the configuration download. The VIA configuration is tied to the role that is assigned to the user as a part of the authentication process in step 3. If a new image is available, the VIA client downloads the new image and notifies the user about the pending upgrade. An IPsec connection is established only if the user is connected to an untrusted network.
The user role defines the access rights of the users that connect using VIA. Aruba recommends that network administrators configure custom user roles that depict the network access policy of their respective organizations. The ArubaOS has a predefined allow-all role called the default-via-role.
All the example configurations in this chapter use this user role. Figure 16 Predefined default-via-role Figure 17 Policies in the default-via-role By default, the first server on the list is used for authentication unless it is unavailable.
A server group can have different types of authentication servers. If the fail-through feature is enabled, it tries to authenticate the users against all the servers in the list until the authentication is successful or until all the servers have been tried. When this feature is disabled, only the first authentication server in the list is used for authenticating the users unless that server is unreachable.
Use dynamic server selection in these situations. For more details about dynamic server selection, see the ArubaOS 6. Do not enable fail-through authentication if these servers are in use. Note that IKEv2 deployments using X. For information about configuring a server-derived role, see the ArubaOS 6. When using server derived roles, the derived role should also have a VIA connection profile attached to it.
Multiple authentication profiles can be created. When multiple authentication profiles are available, the VIA client prompts the user to select an authentication profile. The VIA authentication profile is an integral part of the VIA web authentication, which determines the authentication sever used for the step 3 of VIA bootstrap process and for authenticating users on the VIA installer download page of the controller. This does not compromise security, but it requires an additional configuration.
In these deployments, the default VPN authentication profile must include the appropriate user role and server group that must be used for authenticating VIA clients during the IKE process. A VIA connection profile also defines other optional parameters.
You can configure multiple VIA connection profiles. A VIA connection profile is always associated to a user role, and all users that belong to that role use the configured settings. When a user authenticates successfully to a server in an authentication profile, the VIA client downloads the VIA connection profile that is attached to the role assigned to that user. This IP address should not be reachable from the public Internet.
The VIA client uses this IP address to determine whether or not the user is connected to a trusted network. More than one VIA controller can be added to the list. If no VIA authentication profile is defined, the users are authenticated against the server group that is specified by the default VIA authentication profile predefined.
All other network destinations are bridged appropriately on the client. If split-tunnel is disabled, all the traffic is tunneled to the controller irrespective of the destination. If enabled, the single sign-on feature can be utilized by remote users to connect to internal resources. Default: If you disable auto-login, VIA stays idle after it comes up and the user has to manually click Connect to establish a VPN connection even though an untrusted network is detected.
Default: Enabled enabled Allow client to auto- upgrade This parameter allows the VIA client to automatically upgrade if a newer version of VIA is available on the controller.
Default: Enabled enabled Enable split-tunneling When enabled, all traffic to the VIA tunneled networks goes through the controller and the rest is bridged directly on the client. If enabled, VIA client collects logs that can be sent to the support email address for troubleshooting. If this is enabled, the user credentials that were able to successfully establish a VIA connection are saved securely until VIA is uninstalled or until IKE authentication fails with stored credentials.
If this option is disabled, VIA prompts for credentials every time it establishes a connection. Default: Enabled enabled Lockdown all settings This parameter locks all the configuration options available on the end-user VIA client. If this option is enabled, a VIA user can only connect, disconnect or send logs. Diagnostics such as traceroute and ping can still be used, but no settings can be changed.
This feature does not take the current load of the controller into account. Remember that to validate the server certificate, the CA that signed the controller certificate should be a trusted CA in the client certificate store. The logon script must reside on the client computer. The logoff script must reside on the client computer. If the reconnection attempt is exceeded, the VIA client becomes idle. However, if the connection attempt fails due to an IKE authentication failure error, then the user is prompted to reenter username and password.
Remember that a user with administrative rights to a laptop can always uninstall VIA or disable the Aruba service running on the laptop. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.
The following procedure describes how to configure the tos-dscp parameter in the WebUI:. Expand the VIA Connection profile option and select the name of an existing profile or click Add to create a new profile.
Click the default profile or other saved profile where you want to make changes. The allowed value range is Click Submit. Select Pending Changes. In the Pending Changes window, select the check box and click Deploy changes. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. Logging and diagnostics allow remote troubleshooting of connectivity issues. Opens in a new window Twitea este producto.
Chatea con [email protected] [email protected]. Overview Features Deployment Specifications Documentation. Automatically launches VPN-on-demand outside the corporate network. Uses the same identity-based access policies whether local or remote. Logging and diagnostics allow remote troubleshooting of connectivity issues.
Keep thousands of remote users connected to work Employees who work remotely can easily install an Aruba AP to securely access the corporate network. Reach out and cut costs Every Aruba controller makes a secure connection to the network infrastructure across different sites.
Military-grade encryption Aruba Suite B Advanced Cryptography software lets devices with VIA securely access networks that handle classified, confidential and unclassified data. Automatic IPSEC Connection Frequent business travelers often connect through hotels, airports, coffee shops, and 3G cellular networks, which require secure links to access internal corporate resources.
User Role Support VIA client software leverages the same role-based and stateful firewall policies for local and remote network access to ensure a consistent end-user experience, regardless of location. Extensive Troubleshooting Support VIA's built-in logging and diagnostic capabilities enable remote troubleshooting of connectivity issues without requiring users to navigate through a complex set of tools.
Aruba Advanced Cryptography 8 Session License.
0コメント