VIAis part of theArubaremote networks solution intended for teleworkers and mobile users.VIAdetects the network environment (trusted and untrusted) of the user and connects the users to the enterprise network. Trusted networks refers to a protected office network that allows users to directly access the corporate intranet. Untrusted networks are publicWi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard.hotspotsHotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet.such as airports, cafes, or home network.
TheVIAsolution includes theVIAclient,Mobility Masterwithmanaged deviceconfiguration.
VIAclient—Remote workers and mobile users can installVIAon their computers
Mobility Masterandmanaged deviceconfiguration—To set upVIAfor remote users, configure theVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.forVIAin theMobility Masterand configure the authentication profile and connection profile in the managed network.
VIAconfiguration settings are in the following sections of the WebUI:
In the
node hierarchy, navigate to .In the
node hierarchy, navigate to
For information on configuring the settings in these profiles, refer to theVIAVirtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network.3.x User Guide. |
Topics in this section also include:
License Requirements
Managed devicesrunningArubaOS8.x require one of two available license types to supportVIAVirtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network.users, the license, or the license.
ThefirewallFirewall is a network security system used for preventing unauthorized access to or from a private network.policies to clients using aVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.to connect to themanaged device. ThisPEFVPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel.license is purchased as a single device-specific license that enabled the functionality up to the full user capacity of themanaged device.
license allows a network administrator to applyArubaOS8.2.0.0 and later supports a sharable license. EachVIAclient or 3rd partyVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.client consumes a singleVIAlicense. (VIAlicenses are not consumed by site-to-site VPNs.) If a standalonecontrolleror amanaged devicemanaged byMobility Masterhas aPEFVPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel.license, that device will not consumeVIAlicenses from a licensing pool, as a singlePEFVPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel.license supports allVIAand 3rd partyVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.clients, up to the full user capacity for thatcontrollerormanaged device.
Marking Outgoing Packets with ToS Bits
Starting fromArubaOS8.3.0.0, you can configure the type of service-differentiated service code point (ToSType of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service.-DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment.) formanaged devices. This provides the ability forVIAto mark outgoingIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.and ESP packets with customDSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment.. When aVIAclient downloads the connection-profile, this value also gets pushed.VIAsets the configuredDSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment.value to outer IP header'sToSType of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service.byte. You can use this to markIPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.packets with higherQoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies./DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment.than Best Effort.
下面的过程介绍如何配置the
parameter in the WebUI:1.In the node hierarchy, navigate to and expand the menu.
2.扩大 profile option and select the name of an existing profile or click to create a new profile.
3.Click the profile or other saved profile where you want to make changes.
4.In the pane on the right, enter a value for . The allowed value range is 0-63.
5.Click .
6.Select .
7.In the window, select the check box and click .
The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands configure the parameter in themanaged devicenode:
(host) [mynode] (config) #aaa authentication via connection-profile
(host) [mynode] (VIA Connection Profile "
For more details on configuring, installing, and usingVIA, refer to the latest version of theAruba VIA for Mobility Master User Guide.
VIAClient Audit
Starting fromArubaOS8.4.0.0, when a user authenticates and accesses theVIA客户,notification with details about the last successful logon date and time stamp is provided.
The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands enables to view the username and the last login information:
(host) [mm] #show via-lastlogin
VIAVPN Client Visibility
Starting fromArubaOS8.4.0.0, theVIAclient users are separately displayed on the WebUI forVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.client visibility. You can view the client users in the page in the WebUI.
Previously, you could view theVIAVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.users using theCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands, and . However, now theVIAVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.users information is published to a new GSM channel, via_user and can be seen using theCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.command, .
VIAVPN Client Capability
Starting fromArubaOS8.4.0.0, theVIAclient provides a new option (VIAconnection profile knob) to enable forwarding of Layer-2GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network.tunnel. This feature allows theVIAclient to sendGREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network.packets containingEthernetEthernet is a network protocol for data transmission over LAN.frame by using theIPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.tunnel established with themanaged device.
The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands enable the Layer-2 forwarding option inVIAVirtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network.connection profile:
(host) [mynode] (config) # aaa authentication via connection-profile default
(host) [mynode] (VIA Connection Profile "default") # l2-forwarding
VIAUnique Identifier
StartingArubaOS8.4.0.0,VIAuses theMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.address of a client as the calling station id when sending an authentication request toClearPass政策经理. In earlier versions, the IP address of the client was used as the calling station id.
VIA VPN Client Authentication
Starting fromArubaOS8.5.0.0, theVIAconnection profile includesEAP-GTCEAP – Generic Token Card. (non-tunneled).authentication option. This option ensures that theVIAclient establishesIKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.tunnel with themanaged device.
下面的过程介绍如何配置EAP-GTCEAP – Generic Token Card. (non-tunneled).in the WebUI:
1.In the node hierarchy, navigate to tab.
2.In the list, expand the menu.
3.扩大 profile option and select the name of an existing profile or click to create a new profile.
4.In the pane on the right, select from the field drop-down list.
5.Click .
6.Select .
7.In the window, select the check box and click .
The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands set theEAP-GTCEAP – Generic Token Card. (non-tunneled).as the authentication method:
(host) [mynode] (config) # aaa authentication via connection-profile
(host) [mynode] (VIA Connection Profile "profile_name") #ikev2auth eap-gtc