User's Manual
l Username/password
l X.509 certificate. Controllers running ArubaOS 6.1 or greater support OCSP for the purpose of validating
that a certificate has not been revoked.
l EAP (Extensible Authentication Protocol) including EAP-TLS and EAP-MSCHAPv2.
Other authentication methods:
l Certificates based authentication.
l Smart cards that support a Smart Card Cryptographic Provider (SCCP) API within the operating system. VIA
will look for an X.509 certificate in the operating system’s certificate store. A smart card supporting a SCCP
will cause the certificate embedded within the smart card to automatically appear in the operating system’s
certificate store.
Suite B Cryptography Support
Suite B is a new set of cryptographic algorithms that are approved by the US Government for use in classified
communication. Suite B provides the highest levels of security available today in public, commercial algorithms.
Specifically, VIA provides support for:
l RFC 4869—Suite B Cryptographic Suites for IPsec
l AES-GCM 128/256 for bulk data transfer
l ECDSA for digital signatures, including support for X.509v3 certificates using ECDSA keys with p256/p384
curves
l ECDH for key agreement using p256/p384 curves
l SHA-256 and SHA-384 for message digests
Suite B support requires a controller running Dell Networking W-Series ArubaOS 6.4.x or greater with the Advanced
Cryptography License installed. See Software Licenses on page 130 for more information on licenses.
802.11 Suite-B
The bSec protocol is a pre-standard protocol that has been proposed to the IEEE 802.11 committee as an
alternative to 802.11i. The main difference between bSec and standard 802.11i is that bSec implements Suite
B algorithms wherever possible. Notably, AES-CCM is replaced by AES-GCM, and the Key Derivation Function
(KDF) of 802.11i is upgraded to support SHA-256 and SHA-384. In order to provide interoperability with
standard Wi-Fi software drivers, bSec is implemented as a shim layer between standard 802.11 Wi-Fi and a
Layer 3 protocol such as IP. A controller configured to advertise a bSec SSID will advertise an open network,
however only bSec frames will be permitted on the network.
The bSec protocol requires that you use VIA 2.1. or greater on the client device.
Configuring VIA Settings
The following steps are required to configure your controller for VIA. These steps are described in detail in the
subsections that follow.
1. Enable VPN Server Module—ArubaOS allows you to connect to the VIA controller using the default user
roles. However, to configure and assign specific user roles you must install the Policy Enforcement Firewall
Virtual Private Network (PEFV) license. For details, see Enable VPN Server Module on page 684.
2. Create VIA User Roles—VIA user roles contain access control policies for users connecting to your network
using VIA. You can configure different VIA roles or use the default VIA role—default-via-role.For details,
see Create VIA User Roles on page 684.
3. Create VIA Authentication Profile—A VIA authentication profile contains a server group for authenticating
VIA users. The server group contains the list of authentication servers and server rules to derive user roles
Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Intranet Access | 683