Filter
Top Products
554 | VirtualIntranet Access DellPowerConnectW-SeriesArubaOS6.2 | User Guide
Before you Begin
The following ports must be enabled before configuring the VIA controller.
l TCP 443—During the initializing phase, VIA uses HTTPS connections to perform trusted network and captive
portal checks against the controller. It is mandatory that you enable port 443 on your network to allow VIA to
perform these checks.
l UDP 4500—Required for IPSec transport
l UDP 500—Required for VIA 1.0 on Mac OS
Supported Authentication Mechanisms
VIA 1.x and VIA 2.x support different authentication mechanisms:
Authentication mechanisms supported in VIA 1.x
Authentication is performed using IKEv1 only. Phase 0 authentication, which authenticates the VPN client, can be
performed using either a pre-shared key or an X.509 certificate (the X.509 certificate must appear in the operating
system’s “user” certificate store.). If certificates are used for IKE phase 0 authentication, it must be followed by
username/password authentication.
The second authentication phase is performed using xAuth, which requires a username and password. The username
and password is authenticated against the controller’s internal database, a RADIUS server, or an LDAP server. If a
RADIUS server is used, it must support the PAP protocol.
Support for two-factor authentication such as token cards is provided in VIA 1.x. Token product like RSA tokens
and other token cards are also supported. This includes support for new-pin and next-pin.
Authentication mechanisms supported in VIA 2.x
In addition to the authentication methods supported by VIA 1.x, VIA 2.x adds support for IKEv2. IKEv2 is an
updated version that is faster and supports a wider variety of authentication mechanisms. IKEv2 does not have two
phases of authentication, only a single phase. VIA supports the following with IKEv2:
l Username/password
l X.509 certificate. Controllers running ArubaOS 6.1 or greater support OCSP for the purpose of validating that a
certificate has not been revoked.
l EAP (Extensible Authentication Protocol) including EAP-TLS and EAP-MSCHAPv2.
Other authentication methods:
l Certificates based authentication.
l Smart cards that support a Smart Card Cryptographic Provider (SCCP) API within the operating system. VIA
will look for an X.509 certificate in the operating system’s certificate store. A smart card supporting a SCCP will
cause the certificate embedded within the smart card to automatically appear in the operating system’s
certificate store.
Suite B Cryptography Support
Suite B is a new set of cryptographic algorithms that are approved by the US Government for use in classified
communication. Suite B provides the highest levels of security available today in public, commercial algorithms.
Specifically, VIA provides support for:
l RFC 4869—Suite B Cryptographic Suites for IPsec
l AES-GCM 128/256 for bulk data transfer