Enabling MFA For Aruba VIA With Okta

What is better than Aruba VIA….VIA with Okta MFA! Most are probably familiar with Aruba’s Remote AP (RAP) product line, but what happens when you’re not at home. Aruba has a software option that offers many of the same features as the traditional hardware RAP. Aruba VIA is a popular choice and works with the same gateway devices as the RAP and traditional campus APs. VIA supports various authentication methods, this post will show you how to integrate VIA with Okta and add MFA push notification.

Before you Begin

Go through the Aruba VIA Configuration Guide to understand how the VPN framework works in the context of the Aruba gateways. https://www.arubanetworks.com/techdocs/VIA/4x/Content/home.htm

Steps to Configure Aruba VIA (Radius) Application in Okta

To configure the Radius application in Okta, complete the following steps:

• Step 1: Install the Okta Radius server agent
• Step 2: Configure Radius application in Okta
• Step 3: Configure VIA authentication profile
• Step 4: Enable MFA (optional)

Step 1: Install the Okta Radius server agent

1. From the Okta portal download the Okta radius server agent

1. Install the agent on the server (Cloud or Local)

AWS: https://help.okta.com/en/prod/Content/Topics/integrations/aws-radius-intg-install-radius.htm

Local: https://help.okta.com/en/prod/Content/Topics/integrations/getting-started-overview.htm

1. When prompted follow the URL to Authorize the agent and link to the Okta account

https://{yourorg.okta.com}/oauth2/auth?code={code}

Step 2: Configure Radius application in Okta

1. Log in to the Okta administration console.
2. Click Applications > Browse App Catalog and search for Radius
3. Select Radius Application from the list.

1. Click Add
2. Give the application a name and click Next.

1. Open the application, click Sign On and under Settings click Edit
2. Set the radius port (default 1812)
3. Set a shared secret, this will need to match what is set on the Aruba gateway
4. Click Save
5. Under Advanced Radius Settings click Edit
6. Under Authentication click the checkbox for “Accept password and security token in the same login request” and “Permit Automatic Push for Okta Verify Enrolled Users”

1. Click Save

Step 3: Configure VIA authentication profile

VIA can be configured on an AOS8 controller, SD-Branch (VPNC) or an AOS10 gateway:

Aruba Central (VPNC / AOS10 Gateway)

1. Log into Aruba Central, select the VPNC group (device level if required)
2. Enable Advanced Mode
3. Under Security > Auth Servers, click the + sign to add a server group
4. Name the server group and click save settings

1. Select the Okta server group and the + sign to add the Okta radius server
2. Select Add new server and enter a name the IP/Hostname of the Okta radius server

1. Click Save
2. Click the Okta server name to edit the settings
3. Add the Shared key (same secret used when creating the Oka application in Step 2 #11)
4. Change the Timeout Value to 30 and Retransmits to 1

1. Under Security > L3 Authentication > VIA Authentication Profile – click + to add the Okta server group

1. Select the new profile then click server group
2. Change the Server Group to the Okta group you created previously

1. Click Save
2. Create the VIA Connection profile (these steps are documented in detail in the VIA configuration guide) – no specific changes required for using OKTA. https://www.arubanetworks.com/techdocs/VIA/4x/Content/home.htm

Aruba AOS 8 (Mobility Conductor and Gateway) Config:

1. Log into Mobility Conductor (or stand-alone gateway)
2. Select the group (or device level if required)
3. Under Security > Auth Servers – click the + sign to add a server group
4. Name the server group and click save settings

1. Select the Okta server group and the + sign to add the Okta radius server
2. Select Add new server and enter a name the IP/Hostname of the Okta radius server

1. Click Save
2. Click the Okta server name to edit the settings
3. Add the Shared key (same secret used when creating the Oka application in Step 2 #11)
4. Change the Timeout Value to 30 and Retransmits to 1

1. Under Security > L3 Authentication > VIA Authentication Profile – click + to add the Okta server group

1. Select the new profile then click server group
2. Change the Server Group to the Okta group you created previously

1. Click Save
2. Create the VIA Connection profile (these steps are documented in detail in the VIA configuration guide) – no specific changes required for using OKTA. https://www.arubanetworks.com/techdocs/VIA/4x/Content/home.htm

Step 4: (Optional) Enable MFA

This step will enable MFA support for VIA. Once the user initiates the VIA connection, Okta will trigger an MFA push notification. Upon the user successfully clicking accept, the VIA connection will establish.

1. From the Oka portal select the Aruba VIA application
2. Under Sign On Policy – click Add Rule
3. Give the rule a name (MFA Always as an example)

1. Change the Action access to Always and verify prompt for factor is checked

1. Click Save

1. Verify the MFA policy is in the correct order and enabled

Testing and Troubleshooting:

Install the VIA client on the device, then click to download/install the VIA profile

Give the hostname of the gateway and click proceed

Enter the username / password for the user. This will be the same username / password used for authentication with Okta.

If successful, you should see the VIA connection establish

If MFA is enabled, you should get a push notification. Once accepted the connection will establish.

TIP: Be sure to enroll your device in MFA prior to testing. There is no workflow that support adding the device at the time of first authentication. It must be done prior to testing.

   

   

If push notification fails but client still connects – verify MFA policy is enabled under the VIA application Sign On settings in Okta

If the credentials are valid but the client fails to connect – verify the gateway has connection to the Okta radius service. For AOS8 the AAA Test Server can be used to verify connection. From the gateway select Diagnostics > AAA Test Server, select Okta, auth method PAP and enter the username / password.

If authentication fails, check the Okta application logs. Log into Okta and under the VIA application, click view logs.

Verify the event was seen by Okta and the reason for the failure.

TIP: Make sure the proper group or the individual user is assigned to the VIA application in Okta. If not the authentication will fail.