Aruba VIA 3.0.3 Android Edition a Hewlett Packard Enterprise company Release Notes
Copyright Information Copyright 2017 Hewlett Packard Enterprise Development LP. Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to: Hewlett Packard Enterprise Company Attn: General Counsel 3000 Hanover Street Palo Alto, CA 94304 USA Revision 01 August 2017 Aruba VIA 3.0.3 Android Edition Release Notes
Contents Contents 3 Release Overview 4 About VIA 4 Contacting Support 4 What s New in This Release 5 Features Introduced in VIA 3.0.3 5 Certificate-Based Authentication for Profile Downloads 5 Marking Outgoing Packets with ToS Bits 5 Resolved Issues in VIA 3.0.3 5 Known Issues in VIA 3.0.3 5 Features Added in Previous Releases 7 Features Introduced in VIA 3.0.2 7 Login Banner 7 Support for Sideloaded VPN Connection Profiles with Samsung Knox 7 Features Introduced in VIA 3.0.1 7 Features Introduced in VIA 3.0.0 7 VIA User Interface 8 Lockdown All Settings 8 Support for Samsung Knox 8 Resolved Issues in Previous Releases 9 Resolved Issues in VIA 3.0.2 9 Resolved Issues in VIA 3.0.1 9 Resolved Issues in VIA 3.0.0 9 Known Issues in Previous Releases 11 Known Issues in VIA 3.0.1 11 Known Issues in VIA 3.0.0 11 Aruba VIA 3.0.3 Android Edition Release Notes Contents 3
Release Overview Aruba VIA 3.0.3 is a major software release that introduces new features and fixes to issues identified in previous releases of Aruba VIA Android Edition. For more details, see the Aruba VIA 3.0.3 Android Edition User Guide. About VIA Virtual Intranet Access (VIA) is part of the Aruba remote networks solution targeted for teleworkers and mobile users. VIA detects the network environment (trusted and untrusted) of the user and automatically connects the user to the enterprise network. A trusted network refers to a protected office network that allows users direct access to the corporate intranet. Untrusted networks are public Wi-Fi hotspots such as airports, cafes, or home networks. Contacting Support Table 1: Contact Information Main Site Support Site Airheads Social Forums and Knowledge Base North American Telephone International Telephone Software Licensing Site End-of-life Information Security Incident Response Team (SIRT) arubanetworks.com support.arubanetworks.com community.arubanetworks.com 1-800-943-4526 (Toll Free) 1-408-754-1200 arubanetworks.com/support-services/contact-support/ hpe.com/networking/support arubanetworks.com/support-services/end-of-life/ Site: arubanetworks.com/support-services/security-bulletins/ Email: sirt@arubanetworks.com Aruba VIA 3.0.3 Android Edition Release Notes Release Overview 4
What s New in This Release Features Introduced in VIA 3.0.3 This section describes the features and enhancements introduced in VIA 3.0.3 Android Edition. Certificate-Based Authentication for Profile Downloads In previous versions of VIA, the client must provide their user credentials as part of the https communication with the controller in order to download a VIA.profile. This feature allows the client to authenticate automatically when a valid certificate is presented to the controller with standard ssl/tls key exchange and certificate validation rules. When a certificate-based profile is configured on a controller, VIA will attempt to authenticate the client certificate, while downloading the initial connection profile from the controller. If the controller requires a role to be assigned to the user, the client's identity can be authenticated using the appropriate certificate. This can be accomplished through the following: Email ID from the SubjectAltName extension (2.5.29.17) Email address OID (1.2.840.113549.1.9.1 Subject containing E= attribute (2.5.29.14) Issued to Name (in absence of email address) (2.5.19.17) Marking Outgoing Packets with ToS Bits This feature provides ability to mark outgoing IKE and ESP packets with custom DSCP (which is configured on controller under VIA connection profile. A new knob tos_dscp for marking custom DSCP is available under VIA connection profile. It supports values between 0 to 63. When a VIA client downloads the connection-profile, this value will also get pushed. VIA will set the configured DSCP value to outer IP header's ToS byte. Please note this feature is supported in ArubaOS 6.5.4 and onward, however, it is unavailable for ArubaOS 8.x versions. Resolved Issues in VIA 3.0.3 The following issues have been resolved in VIA 3.0.3: Table 2: VIA 3.0.3 Resolved Issues 26293 Symptom: Android VIA was unable to establish certificate -based tunnels if the client certificate was chained. Scenario: This issue was observed in all VIA releases prior to 3.0.3. Known Issues in VIA 3.0.3 The following are known issues in VIA 3.0.3: Aruba VIA 3.0.3 Android Edition Release Notes What s New in This Release 5
Table 3: VIA 3.0.3 Known Issues 27292 Symptom:VIA fails to connect. Scenario: This issue is specific to the Android 5.0 operating system and occurs after installing VIA 2.2.6 or later, or after upgrading to VIA 2.2.6 when previous versions of VIA or any other VPN client are already installed and connected. Workaround: Restart the Android 5.0 device after installing VIA 2.3.1 or later, or after upgrading VIA. 41413 Symptom: Clients are unable to download VIA profiles when using a chain certificate. Scenario: This issue is present in VIA 3.0.1 and 3.0.3. When clients attempt to download a VIA profile using a chain certificate, the download will fail. The chain certificate may still be used to connect to VIA. 6 What s New in This Release Aruba VIA 3.0.3 Android Edition Release Notes
Features Added in Previous Releases This chapter describes the new features and enhancements introduced in the previous releases of VIA Android Edition. Features Introduced in VIA 3.0.2 This section describes the features and enhancements introduced in VIA 3.0.2 Android Edition. Login Banner The login banner feature allows you to display a static warning message that provides information related to corporate policies or terms and conditions of using VIA. The login banner is displayed when the VIA connection is initiated and contains the Agree and Disconnect Now buttons. The VIA connection is processed only if the user clicks Agree. If the user clicks Disconnect Now, the warning message closes, and the VIA connection is aborted. To upload a login banner for VIA: 1. Navigate to Configuration > Advanced Services > VPN Services > VIA in the controller WebUI. 2. Under the Upload VIA Login Banner section, click Choose File to locate and select the login banner file. 3. Click Upload. Support for Sideloaded VPN Connection Profiles with Samsung Knox VIA 3.0.2 introduces support for sideloaded VPN connection profiles in Samsung Knox environments. If an admin user sideloads a VPN connection profile to VIA and then provisions a Samsung Knox profile, VIA gives preference to the sideloaded VPN connection profile. When the VPN connection is triggered, VIA connects using the sideloaded profile. To sideload a VPN connection profile to VIA: 1. Login to https://<controller-ip>/via. 2. After successful login, go to https://<controller-ip>/via/config?ikever=3. The controller returns a VPN connection profile xml file. 3. Save the xml file as via_config.xml. 4. Place the via_config.xml file in the root directory of the Android file system. 5. Launch VIA. If a VPN connection profile has not yet been provisioned on VIA, VIA loads the connection profile from the via_config.xml file. Features Introduced in VIA 3.0.1 There are no new features or enhancements introduced in VIA 3.0.1 Android Edition. Features Introduced in VIA 3.0.0 This section describes the features and enhancements introduced in VIA 3.0.0 Android Edition. Aruba VIA 3.0.3 Android Edition Release Notes Features Added in Previous Releases 7
VIA User Interface VIA 3.0.0 introduces a new User Interface (UI). For more details, see the ArubaVIA 3.0.0 Android Edition User Guide. Lockdown All Settings Network administrators can enable the Lockdown All Settings knob on the controller to prevent profile setting changes on the VIA client. When this knob is enabled, users cannot clear profiles or edit any settings on the VPN Profiles tab, including the server and authentication profile. Support for Samsung Knox VIA 3.0.0 introduces support for Samsung Knox to enhance security and provide mobile device management (MDM) integration. This feature includes: Implementation of the Knox VPN service and APIs. Refer to the Samsung Knox Vendor Integration Guide for more details. Automatic VIA profile provisioning in a Knox/MDM-controlled environment. Use of a generic Knox VPN framework to setup IPSec VPN tunnels. Support for dual IPSec tunnels. VIA can be used as an outer or inner tunnel in a dual tunnel environment. Support for IPSec VPN tunnels inside the Knox container. VIA supports Knox features on Samsung devices with Knox 2.2 and onwards. 8 Features Added in Previous Releases Aruba VIA 3.0.3 Android Edition Release Notes
Resolved Issues in Previous Releases The following issues were fixed in the previous releases of VIA Android Edition. Resolved Issues in VIA 3.0.2 The following issues are resolved in VIA 3.0.2: Table 4: VIA 3.0.2 Fixed Issues 34254 Symptom: VIA automatically reconnected after reaching the maximum session timeout. Scenario: This issue was observed in VIA 3.0.0. 36315 Symptom: When users connected to a trusted network, the Local IP on the Network tab of the VIA UI was updated with the assigned network IP address. Scenario: This issue was observed in VIA 3.0.0 when users connected to a trusted network. Resolved Issues in VIA 3.0.1 The following issues are resolved in VIA 3.0.1: Table 5: VIA 3.0.1 Fixed Issues 36314 Symptom: The VIA application was vulnerable to MITM attacks. Scenario: This issue was observed in Android devices in VIA 3.0.0 and earlier during the profile download process. This issue occurred when there were multiple SSL sessions during profile download, and a trust check was only performed for the first session. 36677 Symptom:VIA was unable to failover to a backup controller if port 443 was blocked. This issue is resolved by skipping controller reachability checks on port 443 during failover. Instead, VIA initiates an IPsec session directly with the controller. If the controller becomes unreachable, IKE negotiation fails with a timeout period of five seconds for the first UDP packet reply. Scenario: This issue was observed in Android devices in VIA 3.0.0 when port 443 was blocked. 151428 Symptom: The VIA application crashed when users attempted to connect in the absence of network connectivity. Scenario: This issue was observed in Android devices in VIA 3.0.0 when clients used the fully qualified domain name (FQDN) of a controller to download a VPN profile. Resolved Issues in VIA 3.0.0 The following issues are resolved in VIA 3.0.0: Aruba VIA 3.0.3 Android Edition Release Notes Resolved Issues in Previous Releases 9
Table 6: VIA 3.0.0 Fixed Issues 33924 Symptom: The VIA application crashed on Android devices if the configured VPN profile contained multiple IKE authentication profiles. Scenario: This issue was observed in Android devices in VIA 2.4.0. 34236 Symptom: Certificate-based VIA connection failed if the server certificate used for the VPN connection included a street name and postal code. Scenario: This issue was observed in Android devices in VIA 2.3.1. 35028 Symptom:VIA failed to connect when devices moved in and out of their Wi-Fi or LTE coverage areas. Scenario: This issue was observed in Android devices in VIA 2.4.0. 10 Resolved Issues in Previous Releases Aruba VIA 3.0.3 Android Edition Release Notes
Known Issues in Previous Releases The known issues and limitations observed in the previous releases of VIA Android Edition are described in the following table. s and applicable workarounds are included. Known Issues in VIA 3.0.1 The following issues are observed in VIA 3.0.1. Applicable workaround is included. Table 7: VIA 3.0.1 Known Issues 135653 Symptom:VIA connections with IKEv1 certificates fail when the certificate chain is used. Scenario: If the controller does not have the complete certificate chain configured as a trusted CA, but individual certificates in the chain are configured as trusted CAs, the VIA connection fails with IKEv1 certificates. This issue is observed in Android devices in VIA 2.3.1. Workaround: On the controller, configure the complete certificate chain of the intermediate CA as an ISAKMP CA certificate. 27292 Symptom:VIA fails to connect. Scenario: This issue is specific to the Android 5.0 operating system and occurs after installing VIA 2.2.6 or later, or after upgrading to VIA 2.2.6 when previous versions of VIA or any other VPN client are already installed and connected. Workaround: Restart the Android 5.0 device after installing VIA 2.3.1 or later, or after upgrading VIA. Known Issues in VIA 3.0.0 The following issues are observed in VIA 3.0.0. Applicable workaround is included. Table 8: VIA 3.0.0 Known Issues 135653 Symptom:VIA connections with IKEv1 certificates fail when the certificate chain is used. Scenario: If the controller does not have the complete certificate chain configured as a trusted CA, but individual certificates in the chain are configured as trusted CAs, the VIA connection fails with IKEv1 certificates. This issue is observed in Android devices in VIA 2.3.1. Workaround: On the controller, configure the complete certificate chain of the intermediate CA as an ISAKMP CA certificate. 27292 Symptom:VIA fails to connect. Scenario: This issue is specific to the Android 5.0 operating system and occurs after installing VIA 2.2.6 or later, or after upgrading to VIA 2.2.6 when previous versions of VIA or any other VPN client are already installed and connected. Workaround: Restart the Android 5.0 device after installing VIA 2.3.1 or later, or after upgrading VIA. Aruba VIA 3.0.3 Android Edition Release Notes Known Issues in Previous Releases 11