aruba via 1.0 mac edition · # send in this example, you would type “send” at the system...

Aruba VIA 1.0Mac Edition

User

Gu

ide

[Doc Draft Stamp]

Copyright

© 2011 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. All other trademarks are the property of their respective owners. Open Source Code

Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code used can be found at this site:

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors.

Warranty

This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.

Altering this device (such as painting it) voids the warranty.

www.arubanetworks.com

1344 Crossman AvenueSunnyvale, California 94089

Phone: 408.227.4500Fax 408.227.4550

Aruba VIA 1.0 Mac Edition | User Guide 0510977-01 | July 2011

Aruba VIA 1.0 Mac Edition | User Guide

Contents

About this Guide....................................................................................................................7

Audience................................................................................................................7

Fundamentals ........................................................................................................7

WebUI .............................................................................................................7

CLI...................................................................................................................7

Related Documents ...............................................................................................8

Conventions...........................................................................................................8

Contacting Support ...............................................................................................9

Chapter 1 Introduction............................................................................................11

VIA Connection Manager.....................................................................................11

How it Works.................................................................................................11

VIA Compatibility .................................................................................................12

Chapter 2 Controller Configuration .......................................................................13

Before you Begin .................................................................................................13

Authentication Mechanisms Supported in VIA 1.x ..............................................13

Configuring VIA Settings......................................................................................13

Using WebUI to Configure VIA......................................................................14

Enable VPN Server Module ....................................................................14

Configure VPN Authentication Profile.....................................................14

Create VIA Connection Profile ................................................................15

Configure VIA Web Authentication .........................................................17

Associate VIA Connection Profile to User Role ......................................18

Configure VIA Client WLAN Profiles .......................................................19

Rebranding VIA and Uploading VIA Installers ........................................22

Using CLI to Configure VIA ...........................................................................23

Create VPN Authentication Profile..........................................................23

Create VIA Connection Profiles ..............................................................23

Configure VIA Web Authentication .........................................................23

Associate VIA Connection Profile to User Role ......................................23

Configure VIA Client WLAN Profiles .......................................................23

Rebranding VIA and Uploading VIA Installers ........................................24

Chapter 3 End-User Instructions ...........................................................................25

Installing and Uninstalling VIA .............................................................................25

Installing VIA..................................................................................................25

Uninstalling VIA .............................................................................................25

VIA Connection Status ..................................................................................25

Upgrade Workflow...............................................................................................26

Using the VIA Connection Manager ....................................................................26

Troubleshooting VIA Issues .................................................................................26

VIA Log Files .................................................................................................26

Automatically Generate and Submit Log Files..............................................27

Manually Generate and Submit Log Files .....................................................27

Debug Connectivity Issues ...........................................................................27

| 3

4 | Aruba VIA 1.0 Mac Edition | User Guide


Figures

Figure 1 Configure VPN Authentication Profile..................................................................15

Figure 2 Create VIA Connection Profile .............................................................................15

Figure 3 Select VIA Authentication Profile .........................................................................18

Figure 4 Associate VIA Connection Profile to User Role ...................................................19

Figure 5 Create VIA Client WLAN Profile ...........................................................................19

Figure 6 Configure the SSID Profile...................................................................................20

Figure 7 Configure VIA Client WLAN Profile ......................................................................20

Figure 8 Customize VIA logo, Landing Page, and download VIA Installer ........................22

Figure 9 VIA Connection Status ........................................................................................26

Figures | 5

6 | Figures Aruba VIA 1.0 Mac Edition | User Guide


About this Guide

This User Guide describes the features supported by ArubaOS VIA on Mac computers and provides instructions and examples for configuring controllers and installing, upgrading, and using the VIA connection manager. This chapter covers:

“Audience” on page 7

“Fundamentals” on page 7

“Related Documents” on page 8

“Conventions” on page 8

“Contacting Support” on page 9

Audience

This guide is intended for system administrators responsible for configuring and maintaining VIA controllers and for VIA users who will use the VIA connection manager to connect securly to their corporate network.

Fundamentals

Configuring your controller is accomplished using either the Web User Interface (WebUI) or the command line interface (CLI).

WebUI

Each controller supports up to 22 simultaneous WebUI connections. The WebUI is accessible through a standard Web browser from a remote management console or workstation. The WebUI includes configuration wizards that step you through easy-to-follow configuration tasks. The wizards are:

Controller Wizard—basic controller configuration

License Wizard—installation and activation of software licenses

CLI

The CLI is a text-based interface accessible from a local console connected to the serial port on the controller or through a Telnet or Secure Shell (SSH) session.

When entering commands remember that:

commands are not case sensitive

the space bar will complete your partial keyword

the backspace key will erase your entry one letter at a time

the question mark ( ? ) will list available commands and options

By default, you access the CLI from the serial port or from an SSH session. You must explicitly enable Telnet on your

controller in order to access the CLI via a Telnet session.

About this Guide | 7

Related Documents

The following items are part of the complete documentation for the Aruba user-centric network:

ArubaOS 6.1 Controller Installation Guides

ArubaOS 6.1 User Guide

ArubaOS 6.1 Command Reference Guide

ArubaOS 6.1 Quick Start Guide

The latest version of the documentation is available at support.arubanetworks.com.

Conventions

The following conventions are used throughout this manual to emphasize important concepts:

The following informational icons are used throughout this guide:

Table 1 Typographical Conventions

Type Style Description

Italics This style is used to emphasize important terms and to mark the titles of books.

System items This fixed-width font depicts the following:

Sample screen output

System prompts

Filenames, software devices, and specific commands when mentioned in the text

Commands In the command examples, this bold font depicts text that you must type exactly as shown.

<Arguments> In the command examples, italicized text within angle brackets represents items that you should replace with information appropriate to your specific situation. For example:

# send <text message>In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets.

[Optional] In the command examples, items enclosed in brackets are optional. Do not type the brackets.

{Item A | Item B} In the command examples, items within curled braces and separated by a vertical bar represent the available choices. Enter only one choice. Do not type the braces or bars.

Indicates helpful suggestions, pertinent information, and important things to remember.

Indicates a risk of damage to your hardware or loss of data.

8 | About this Guide Aruba VIA 1.0 Mac Edition | User Guide

support.arubanetworks.com

support.dell.com

Contacting Support

Indicates a risk of personal injury or death.

Main Site arubanetworks.com

Support Site support.arubanetworks.com

North American Telephone 1-800-943-4526 (Toll Free)

1-408-754-1200

International Telephones arubanetworks.com/support-services/aruba-support-program/contact-support/

Software Licensing Site licensing.arubanetworks.com/login.php

Wireless Security IncidentResponse Team (WSIRT)

arubanetworks.com/support/wsirt.php

Support Emails

Americas and APAC [email protected]

EMEA [email protected]

WSIRT EmailPlease email details of any securityproblem found in an Aruba product.

[email protected]

Aruba VIA 1.0 Mac Edition | User Guide About this Guide | 9

http://www.arubanetworks.com

http://www.arubanetworks.com

https://support.arubanetworks.com

https://support.arubanetworks.com

http://www.arubanetworks.com/support-services/aruba-support-program/contact-support

http://www.arubanetworks.com/support-services/aruba-support-program/contact-support

https://licensing.arubanetworks.com/login.php

https://licensing.arubanetworks.com/login.php

http://www.arubanetworks.com/support/wsirt.php

http://www.arubanetworks.com/support/wsirt.php

10 | About this Guide Aruba VIA 1.0 Mac Edition | User Guide


Chapter 1

Introduction

Virtual Intranet Access (VIA) is part of the Aruba remote networks solution targeted for teleworkers and mobile users. VIA detects the users network environment (trusted and un-trusted) and automatically connects the user to their enterprise network. Trusted networks typically refers to a protected office network that allows users to directly access corporate intranet. Un-trusted networks are public Wi-Fi hotspots like airports, cafes, or home network.

Topics in this Document

“VIA Connection Manager” on page 11

“VIA Compatibility” on page 12

“Supported Authentication Mechanisms” on page 13

“Configuring VIA Settings” on page 14

The VIA solution comes in two parts—VIA connection manager and the controller configuration.

To set up virtual intranet access for remote users, you must configure your controller to include setting up user roles, authentication, and connection profiles. You can use either WebUI or CLI to configure your controller. See “VIA Configuration” on page 13).

VIA Connection Manager

Aruba VIA connection manager runs on a client computer and attempts to automatically keep the device connected to an enterprise network. It uses IPSec based VPN for secure connectivity, and supports a number of different authentication options. VIA connects to an Aruba controller, ensuring that the same user-centric policy controls available in an organization’s wireless LAN, wired LAN, branch office, and tele-worker access networks are also available for remote users.

The Mac OS version of VIA connection manager is an L2TP IPSec client wrapper around the native Mac OS VPN client. See “How it Works” on page 11 for more informaiton on how the VIA connection manager provides seamless secure connection.

How it Works

If a user is connected from a remote location that is outside of the enterprise network, VIA automatically detects the environment as un-trusted and creates a secure IPSec connection between the user and the enterprise network. When the user moves into the trusted network, VIA detects the network type and moves to idle state.

VIA provides a seamless connectivity experience to users when accessing an enterprise network resource from an un-trusted or trusted network environment. You can securely connect to your enterprise network from an un-trusted network environment. By default VIA will auto-launch at system start and establish a remote connection. The following table explains the typical behavior:

� � � E

VIA requires the PEFV license and is supported on the M3, 3000 Series, and 600 Series controller.

� � � E

The sequence of events described in Table 2 does not necessarily mean that the events always happen in the order

shown in the table.

Introduction | 11

VIA Compatibility

The following table shows the compatibility of different versions of VIA with ArubaOS.

Table 2 VIA Connectivity Behavior

User action / environment VIA’s behavior

The client / user moves from a trusted to un-trusted environment. Example: From office to a public hot-spot.

Auto-launches and establishes connection to remote network.

The client moves from an un-trusted to a trusted environment.

Auto-launch and stay idle. VIA does not establish remote connection. You can, however, manually connect to a network by selecting an appropriate connection profile from the Settings tab.

While in an un-trusted environment, user disconnects the remote connection.

Disconnects gracefully.

User moves to a trusted environment. Stays idle and does not connect.

User moves to an un-trusted environment Stays idle and does not connect. This usually happens, if the user has in a previous occasion disconnected a secure connection by clicking the Disconnect button in VIA. Users can manually connect by one of the following methods:

1. Right click on the VIA icon in the system tray and select the Restore option and then select the Connect option to connect using the default connection profile.

2. Right click on the VIA icon in the system tray and select the Connect option.

User clicks the Reconnect button. Establishes remote connection.

In an un-trusted environment, user restarts the system.

Auto-launches and establishes remote connection.

In an un-trusted environment, user shuts down the system. Moves to a trusted environment and restarts system.

Auto-launches and stays idle.

� � � E

See Chapter 3, “End-User Instructions” on page 25 for information about using the desktop VIA connection manager.

Table 3 VIA Compatibility Matrix

ArubaOS Version /

Operating System

Microsoft Windows (32-bit)

[ XP, Vista, Windows 7]

Microsoft Windows (64-bit)

[Vista, Windows 7]

Mac OS

10.5, 10.6

ArubaOS 5.0.X 1.0, 1.1, 1.2 — —

ArubaOS 6.0.x 1.0, 1.1, 1.2 1.2 —

ArubaOS 6.1.x 1.1, 1.2, 2.0 1.2 1.0

12 | Introduction Aruba VIA 1.0 Mac Edition | User Guide


Chapter 2

Controller Configuration

VIA configuration requires that you first configure VPN settings and then configure VIA settings. See the Virtual Private Networks chapter in the latest ArubaOS User Guide for information on configuring VPN settings on your controller.

Before you Begin

The following ports must be enabled before configuring the VIA controller.

TCP 443—During the initializing phase, VIA uses HTTPS connections to perform trusted network and captive portal checks against the controller. It is mandatory that you enable port 443 on your network to allow VIA to perform these checks.

UDP 4500—Required for IPSec transport

UDP— 500, 1701, and 4500

TCP—1723

IP protocol— 50

Authentication Mechanisms Supported in VIA 1.x

Authentication is performed using IKEv1 only. Phase 0 authentication, which authenticates the VPN client, can be performed using either a pre-shared key or an X.509 certificate (the X.509 certificate must appear in the operating system’s “user” certificate store.). If certificates are used for IKE phase 0 authentication, it must be followed by username and password authentication.

The second authentication phase is performed using xAuth, which requires a username and password. The username and password is authenticated against the controller’s internal database, a RADIUS server, or an LDAP server. If a RADIUS server is used, it must support the PAP protocol.

Configuring VIA Settings

The following steps are required to configure your controller for VIA. These steps are described in detail in the subsections that follow.

1. Enable VPN Server Module—ArubaOS allows you to connect to the VIA controller using the default user roles. However, to configure and assign specific user roles you must install the Policy Enforcement Firewall Virtual Private Network (PEFV) license.

2. Configure VPN Authentication Profile—The authentication profile is used to authenticate Mac VIA using appropriate authentication servers.

3. Configure VIA Web Authentication—A VIA web authentication profile contains a VPN authentication profile used by end users to login to the VIA download page (https://<server-IP-address>/via) for downloading the VIA client. Only one VPN web authentication profile is available.

4. Associate VIA Connection Profile to User Role—A VIA connection profile has to be associated to a user role. Users will login by authenticating against the server group specified in the VPN authentication profile and are put into that user role. The VIA configuration settings are derived from the VIA connection profile attached to that user role. The default VIA connection profile is used.

Controller Configuration | 13

5. Configure VIA Client WLAN Profiles—You can push WLAN profiles to end-user computers that use the Microsoft Windows Wireless Zero Config (WZC) service to configure and maintain their wireless networks. After the WLAN profiles are pushed to end-user computers, they are automatically displayed as an ordered list in the preferred networks. The VIA client WLAN profiles provisioned on the client can be selected from the VIA connection profile described in Step 6.

6. Rebranding VIA and Uploading VIA Installers—You can use a custom logo on the VIA client and on the VIA download web page.

7. Download VIA Installer and Version File

Using WebUI to Configure VIA

The following steps illustrate configuring your controller for VIA using the WebUI.

Enable VPN Server Module

You must install the PEFV license to configure and assign user roles. See the Software Licenses chapter in the latest ArubaOS 6.1 User Guide for more information on licenses.

To install a license:

1. Navigate to Configuration > Network > Controller and select the Licenses tab on the right hand side.

2. Paste the license key in the Add New License key text box and click the Add button.

Configure VPN Authentication Profile

Mac VIA connection manager requires VPN authentication profile to be set to appropriate server group. To configure VPN authentication profile:

1. Navigate to Configuration > Security > Authentication > L3 Authentication tab

2. Expand VPN Authentication Profile and then expand the default profile.

3. Select Server Group, and in the configurations options (on the right-hand-side), select the appropriate server group from Server Group drop down list box

14 | Controller Configuration Aruba VIA 1.0 Mac Edition | User Guide

Figure 1 Configure VPN Authentication Profile.

Create VIA Connection Profile

To create VIA connection profile:

1. Navigate to Configuration > Security > Authentication > L3 Authentication tab. Click the VIA Connection Profile option and enter a name for the connection profile.

Figure 2 Create VIA Connection Profile

Aruba VIA 1.0 Mac Edition | User Guide] Controller Configuration | 15

2. Click on the new VIA connection profile to configure the connection settings. You can configure the following options for a VIA connection profile.

Table 4 Connection Profile Options

Configuration Option Description

VIA Controller Enter the following information about the VIA controller.

Controller Hostname/IP Address: This is the public IP address or the DNS hostname of the VIA controller. Users will connect to remote server using this IP address or the hostname.

Controller Internal IP Address: This is the IP address of any of the VLAN interface IP addresses belonging to this controller.

Controller Description: This is a human-readable description of the controller.

Click the Add button after you have entered all the details. If you have more than one VIA controller you re-order them by clicking the Up and Down arrows.

To delete a controller from your list, select a controller and click the Delete button.

VIA Authentication Profiles to provision

Not suported in VIA 1.0 for Mac.

VIA tunneled networks A list of network destination (IP address and netmask) that the VIA client will tunnel through the controller. All other network destinations will be reachable directly by the VIA client.

Enter an IP address and network mask. Click the Add button to add them to the tunneled networks list.

To delete a network entry, select the IP address and click the Delete button.

VIA Client WLAN profiles A list of VIA client WLAN profiles that needs to be pushed to the client machines that use Windows Zero Config (WZC) to configure or manage their wireless networks.

Select a WLAN profile and click the Add button to add to the client WLAN profiles list.

To delete an entry, select the profile name and click the Delete button.

See “Configure VIA Client WLAN Profiles” on page 19 for more information.

VIA IKE V2 Policy Not suported in VIA 1.0 for Mac.

VIA IKE Policy List of IKE policies that the VIA Client has to use to connect to the controller. These IKE policies are configured under Configuration > Advanced Services > VPN Services > IPSEC > IKE Policies.

Use Windows Credentials Not suported in VIA 1.0 for Mac.

Enable IKEv2 Not suported in VIA 1.0 for Mac.

IKEv2 Authentication method.


VIA IPSec V2 Crypto Map Not suported in VIA 1.0 for Mac.

VIA IPSec Crypto Map List of IPSec Crypto Map that the VIA client uses to connect to the controller. These IPSec Crypto Maps are configured in CLI using the crypto-local ipsec-map <ipsec-map-name> command.

VIA Client Network Mask The network mask that has to be set on the client after the VPN connection is established.

Default: 255.255.255.255

VIA Client DNS Suffix List The DNS suffix list (comma separated) that has be set on the client once the VPN connection is established.

Default: None.


Configure VIA Web Authentication

To configure VIA web authentication profile:

1. Navigate to Configuration > Security > Authentication > L3 Authentication tab.

VIA Support E-mail Address The support e-mail address to which VIA users will send client logs.

Default: None.

VIA external download URL Not suported in VIA 1.0 for Mac.

Content Security Gateway URL


Enable Content Security Services

Select this checkbox to enable content security service. You must install the Content Security Services licenses to use this option. See the Software Licenses chapter in the latest ArubaOS User Guide for more information on licenses..

Client Auto-Login Enable or disable VIA client to auto login and establish a secure connection to the controller.

Default: Enabled

Allow client to auto-upgrade Not suported in VIA 1.0 for Mac.

Enable split-tunneling Not suported in VIA 1.0 for Mac.

Allow client-side logging Enable or disable client side logging. If enabled, VIA client will collect logs that can be sent to the support email-address for troubleshooting.

Default: Enabled

Allow user to save passwords

Enable or disable users to save passwords entered in VIA.

Default: Enabled

Validate Server Certificate Enable or disable VIA from validating the server certificate presented by the controller.

Default: Enabled

VIA max session timeout The maximum time (minutes) allowed before the VIA session is disconnected.

Default: 1440 min

VIA Logon Script Not suported in VIA 1.0 for Mac.

VIA Logoff Script Not suported in VIA 1.0 for Mac.

Maximum reconnection attempts

The maximum number of re-connection attempts by the VIA client due to authentication failures.

Default: 3

Allow user to disconnect VIA Not suported in VIA 1.0 for Mac.

Comma separated list of HTTP ports to be inspected (apart from default port 80)


Keep VIA window minimized Not suported in VIA 1.0 for Mac.

Table 4 Connection Profile Options

Configuration Option Description


2. Expand VIA Web Authentication and click on default profile.

3. Select a profile from VIA Authentication Profile drop-down list box and click the Add button.

To re-order profiles, click the Up and Down button.

To delete a profile, select a profile and click the Delete button.

4. If a profile is not selected, the default VIA authentication profile is used.

Figure 3 Select VIA Authentication Profile

Associate VIA Connection Profile to User Role

To associate a VIA connection profile to a user role:

1. Navigate to Configuration > Security > Access Control > User Roles tab.

2. Select the VIA user role (See “Create VIA Connection Profile” on page 15) and click the Edit button.

3. In the Edit Role page, navigate to VIA Connection Profile and select the connection profile from the drop-down list box and click the Change button.

4. Click the Apply button to save the changes to the configuration.

� � � E

You can have only one profile (default) for VIA web authentication.


Figure 4 Associate VIA Connection Profile to User Role

Configure VIA Client WLAN Profiles

To configure a VIA client WLAN profile:

1. Navigate to Configuration > Advanced Services > All Profiles.

2. Expand Controller Profiles and select VIA Client WLAN Profile.

3. In the Profile Details, enter a name for the WLAN profile and click the Add button.

Figure 5 Create VIA Client WLAN Profile

4. Expand the new WLAN profile and click on the SSID Profile. In the profile details page, select New from the SSID Profile drop-down box and enter a name for the SSID profile.

5. In the Basic tab, enter the network name (SSID) and select 802.11 security settings. Click the Apply button to continue.


Figure 6 Configure the SSID Profile

6. You can now configure the SSID profile by selecting the SSID profile under VIA Client WLAN Profile option.

Figure 7 Configure VIA Client WLAN Profile

The VIA client WLAN profiles are similar to the authentication settings used to set up a wireless network in Microsoft Windows. The following table shows the Microsoft Windows equivalent settings:

Table 5 Configure VIA client WLAN profile

Option Description

EAP-PEAP options Select the following options, if the EAP type is PEAP (Protected EAP):

validate-server-certificate: Select this option to validate server certificates.

enable-fast-reconnect: Select this option to allow fast reconnect.

enable-quarantine-checks: Select this option to perform quarantine checks.

disconnect-if-no-cryptobinding-tlv: Select this option to disconnect if server does not present cryptobinding TLV.

dont-allow-user-authorization: Select this to disable prompts to user for authorizing new servers or trusted certification authorities.

EAP Type Select an EAP type used by client to connect to wireless network.

Default: EAP-PEAP


EAP-Certificate Options

If you select EAP type as certificate, you can select one of the following options:

mschapv2-use-windows-credentials

use-smartcard

simple-certificate-selection

use-different-name

validate-server-certificate

Inner EAP Type Select the inner EAP type. Currently supports only EAP-PEAP.

Inner EAP Authentication options:

mschapv2-use-windows-credentials: Automatically use the Windows logon name and password (and domain if any)

use-smartcard: Use a smart card

simple-certificate-selection: Use a certificate on the user’s computer or use a simple certificate selection method (recommended)

validate-server-certificate: Validate the server certificate

use-different-name: Use a different user name for the connection (and not the CN on the certificate)

Automatically connect when this WLAN is in range

Select this option if you want WZC (Microsoft Windows Wireless Zero Config tool) to connect when this network (SSID) is available.

EAP-PEAP: Connect only to these servers

Comma separated list of servers.

Enable IEEE 802.1x authentication for this network

Select this option to enable 802.1x authentication for this network.

Default: Enabled.

EAP-Certificate: Connect only to these certificates


Inner EAP-Certificate: Connect only to these servers


Connect even if this WLAN is not broadcasting

Default: Disabled

Table 5 Configure VIA client WLAN profile

Option Description


Rebranding VIA and Uploading VIA Installers

You can rebrand the VIA client and the VIA download page with your custom logo and HTML page. Additionaly you can now upload latest versions of VIA installers.

Figure 8 Customize VIA logo, Landing Page, and download VIA Installer

Download VIA Installer and Version File

To download the VIA installer and version file:

1. Navigate to Configuration > Advanced Services > VPN Services > VIA tab.

2. Under VIA installers for various platforms section, click ansetup.msi to download the installation file.

Upload VIA Installer

To upload a new VIA installer:


2. Under Upload new VIA Installers, browse and select the installer from your computer. Click the Upload button to upload the installer to the controller.

Customize Logo

To use a custom logo on the VIA download page and on the VIA client:


2. Under the Customize Logo section, browse and select a logo from your computer. Click the Upload button to upload the image to the controller.

To use the default Aruba logo, click the Reset button.

Customize the Landing Page for Web-based Login

To use a custom landing page for VIA web login:


2. Under Customize Welcome HTML section, browse and select the HTML file from your computer. Click the Upload button to upload the image to the controller. The following variables are used in the custom HTML file:

All variables in the custom HTML file have the following notation

<% user %>: this will display the username.

<% ip %>: this will display the IP address of the user.

� � � E

To use the controller to distribute VIA, your controller must be running ArubaOS 6.1 or later and you need to upload

the signed version of VIA client using the .arb file.


<% role %>: this will be display the user role.

<% logo %>: this is the custom logo (Example: <img src="<% logo %>">)

<% logout %>: the logout link (Example: <a href="<% logout %>">VIA Web Logout</a>)

<% download %>: the installer download link (Example: <a href="<% download %>">Click here to download VIA</a>)

To use the default welcome page, click the Reset button.

3. Click the Apply button to continue.

Using CLI to Configure VIA

The following steps illustrate configuring VIA using CLI. Install your Policy Enforcement Firewall Virtual Private Network (PEFV) license key.

(host) (config)# license add <key>

Create VPN Authentication Profile

(host) (config)# aaa authentication vpn default(host) (VPN Authentication Profile "default") # server-group internal

Create VIA Connection Profiles

(host) (config) #aaa authentication via connection-profile "via"(host) (VIA Connection Profile "via") #server addr 202.100.10.100 internal-ip 10.11.12.13 desc "VIA Primary Controller" position 0(host) (VIA Connection Profile "via") #auth-profile "default" position 0(host) (VIA Connection Profile "via") #tunnel address 10.0.0.0 netmask 255.255.255.0(host) (VIA Connection Profile "via") #split-tunneling(host) (VIA Connection Profile "via") #client-netmask 255.0.0.0(host) (VIA Connection Profile "via") #dns-suffix-list example.com(host) (VIA Connection Profile "via") #support-email [email protected] the following command after you create the client WLAN profile. See “Configure VIA Client WLAN Profiles” on page 19

(host) (VIA Connection Profile "via") #client-wlan-profile "via_corporate_wpa2" position 0

Configure VIA Web Authentication

(host) (config) #aaa authentication via web-auth default(host) (VIA Web Authentication "default") #auth-profile default position 0

Associate VIA Connection Profile to User Role

(host) (config) #user-role "example-via-role"(host) (config-role) #via "via"

Configure VIA Client WLAN Profiles

(host) (config) #wlan ssid-profile "via_corporate_wpa2"(host) (SSID Profile "via_corporate_wpa2") #essid corporate_wpa2(host) (SSID Profile "via_corporate_wpa2") #opmode wpa2-aes

� � � E

Commands that achieve specific task are described in this section. For detailed information on the VIA command

line options, see the latest ArubaOS Command Reference Guide.

� � � E

You can have only one profile (default) for VIA web authentication.


(host) (SSID Profile "via_corporate_wpa2") #wlan client-wlan-profile "via_corporate_wpa2"(host) (VIA Client WLAN Profile "via_corporate_wpa2") #ssid-profile "via_corporate_ssid"For detailed configuration parameter information, see “wlan client-wlan-profile” command in the latest ArubaOS Command Reference Guide.

Rebranding VIA and Uploading VIA Installers

This step can only be performed using the WebUI. See “Rebranding VIA and Uploading VIA Installers” on page 22.



Chapter 3

End-User Instructions

This chapter provides instructions to install, upgrade, and use the VIA connection manager.

Topics in this chapter

“Installing and Uninstalling VIA” on page 25

“Upgrade Workflow” on page 26

“Troubleshooting VIA Issues” on page 26

Installing and Uninstalling VIA

Installing VIA

1. Download the installer (anviainstaller.pkg) from the URL provided by the IT department.

2. Double click the installer file and follow the default prompts.

3. After the installation is complete, the VIA Preference Pane will launch and the user will be prompted to enter the following:

Remote server URL—This should be provided by the IT department.

Username—The users domain user name.

Password—The users domain password.

4. Go to System Preferences > Other > select VIA to view VIA connection details.

5. Go to System Preferences > Network, in the list of network connections select VIA to modify login details and remote server address.

Uninstalling VIA

To uninstall VIA, run the sudo /usr/local/bin/arubaviaunistaller.sh command from the terminal window.

VIA Connection Status

To view the status of the VIA connection

1. Go to System Preferences > Network, in the list of network connections select Aruba VIA.

2. Select the Show VPN status in menu bar checkbox. The VIA connection status will be visible in the Mac menubar. You can use the connection status / icon to connect or disconnect VIA connection.

End-User Instructions | 25

Figure 9 VIA Connection Status

Upgrade Workflow

The VIA connection manager is upgraded when you install a new version provided by your IT administrator.

Using the VIA Connection Manager

The VIA connection manager can be accessed from System Preferences. When connected, the VIA connection manager provide information about the current connection details. In the Connection Details tab, you can view:

Profile in Use—Displays the VIA connection profile used to establish the current connection. This profile is created by your IT administrator.

Remote Server Address—The VIA server to which the VIA connection manager is connected.

Assigned IP Address—The IP address provided by the VIA remote server.

Traffic Sent/Received—Amount of data sent and received during the VIA connection.

Connected Time—The duration of the VIA connection

Connection Messages—This section list sequence of events that occured after the current VIA connection was established.

Send Logs—Click the button to generate the mobility bundle. This is required to investigate any VIA issue. See “Troubleshooting VIA Issues” on page 26 for more details.

Settings—This tab allows you to reset the current VIA profile settings or select a different VIA connection profile from the list.

Troubleshooting VIA Issues

The mobility bundle is required to effectively investigate any VIA issue. Mobility bundle is a collection of log files generated by the VIA client on Mac OS. These log files belong to PPP, DNS, ifconfig, syslog, and other system process.

VIA Log Files

Connectivity issue—Sys logger, IPSEC, and PPP log files.

DNS resolve issue—DNS-configuration (i.e. DNS resolver), /etc/resolv.conf, and ifconfig log files.

VPN configuration Issue—preferences.plist file.

26 | End-User Instructions Aruba VIA 1.0 Mac Edition | User Guide

Automatically Generate and Submit Log Files

1. Click the Send Log button on the Mac VIA client.

2. The log files are generated and stored in /var/tmp folder.

3. Attach the log file in an email and send it to you support team.

Manually Generate and Submit Log Files

1. In a terminal window, run the sudo /System/Library/Frameworks/SystemConfiguration.framework/Resources/get-mobility-info command.

Debug Connectivity Issues

Check the following:

Sys logger for OS and Mac VIA logging

PPP log for PPP process

IPSec SA/SPD for IPSEC file.

Check dns-configuration (/etc/resolv.conf) to check any DNS assignment issue.

Aruba VIA 1.0 Mac Edition | User Guide] End-User Instructions | 27

28 | End-User Instructions Aruba VIA 1.0 Mac Edition | User Guide