Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-650

411

412

413

414

415

416

417

418

419

420

418 | Virtual Intranet Access Dell PowerConnect W-Series ArubaOS 6.1 | User Guide

Authentication mechanisms supported in VIA 1.x

Authentication is performed using IKEv1 only. Phase 0 authentication, which authenticates the VPN client, can

be performed using either a pre-shared key or an X.509 certificate (the X.509 certificate must appear in the

operating system’s “user” certificate store.). If certificates are used for IKE phase 0 authentication, it must be

followed by username/password authentication.

The second authentication phase is performed using xAuth, which requires a username and password. The

username and password is authenticated against the controller’s internal database, a RADIUS server, or an LDAP

server. If a RADIUS server is used, it must support the PAP protocol.

Support for two-factor authentication such as token cards is provided in VIA 1.x. Token product like RSA tokens

and other token cards are also supported. This includes support for new-pin and next-pin.

Authentication mechanisms supported in VIA 2.x

In addition to the authentication methods supported by VIA 1.x, VIA 2.x adds support for IKEv2. IKEv2 is an

updated version that is faster and supports a wider variety of authentication mechanisms. IKEv2 does not have

two phases of authentication, only a single phase. VIA supports the following with IKEv2:

 Username/password

 X.509 certificate. Controllers running ArubaOS 6.1 or greater support OCSP for the purpose of validating that

a certificate has not been revoked.

 EAP (Extensible Authentication Protocol) including EAP-TLS and EAP-MSCHAPv2.

Other authentication methods:

 Certificates based authentication.

 Smart cards that support a Smart Card Cryptographic Provider (SCCP) API within the operating system. VIA

will look for an X.509 certificate in the operating system’s certificate store. A smart card supporting a SCCP

will cause the certificate embedded within the smart card to automatically appear in the operating system’s

certificate store.

Suite B Cryptography Support

Suite B is a new set of cryptographic algorithms that are approved by the US Government for use in classified

communication. Suite B provides the highest levels of security available today in public, commercial algorithms.

Specifically, VIA provides support for:

 RFC 4869—Suite B Cryptographic Suites for IPsec

 AES-GCM 128/256 for bulk data transfer

 ECDSA for digital signatures, including support for X.509v3 certificates using ECDSA keys with p256/p384

curves

 ECDH for key agreement using p256/p384 curves

 SHA-256 and SHA-384 for message digests

Configuring VIA Settings

The following steps are required to configure your controller for VIA. These steps are described in detail in the

subsections that follow.

NOTE: Suite B support requires a controller running Dell PowerConnect W-Series ArubaOS 6.1 or greater

with the Advanced Cryptography License installed. See Chapter 34, “Software Licenses” for more

information on licenses.