Controller Based WLANs

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x.

No, the switch does not have to be rebooted for the added license to take effect. The Base OS configuration has roles and ACLs that cannot be customized because the switch does not have a PEF license.

Consider a captive portal setup in the Base OS configuration. An initial role is created with the same name as the profile and it has the standard policies allowing only http, https, DNS, DHCP, and the redirection ACLs.

·    A user trying to connect to such an SSID is redirected to the captive portal page. After logging in as a guest, the user is assigned the default guest role, which has an implicit "allow all" rule because the switch has no licenses.

·    When the PEF license is added to the controller, a message says to reload the switch for the license to take effect. However, we can see that the guest role (which the user is in) now has the ACLs added to it. The user now has limited services (http, https, DNS, DHCP, and icmp for ipv4 and ipv6).

·    Thus it can be observed that the ACLs get added to the corresponding roles and take effect without the switch having to be reloaded.

 Here the user-role guest is shown before and after the PEF license is added. This example shows that the PEF license takes effect immediately after it is added.

user-role ap-role 
     ! 
     user-role guest-logon 
     ! 
user-role guest         

/* The user role guest with an implicit ‘allow all' */ 
          
     user-role guest                                    
     session-acl http-acl 
     session-acl https-acl 
     session-acl dhcp-acl 
     session-acl icmp-acl 
     session-acl dns-acl 
     ipv6 session-acl v6-http-acl 
     ipv6 session-acl v6-https-acl 
     ipv6 session-acl v6-dhcp-acl 
     ipv6 session-acl v6-icmp-acl 
     ipv6 session-acl v6-dns-acl 
     ! 

// the user role guest after the PEF license was added (without rebooting the switch)//