Wireless Access

Reply
Contributor I

How to use 7210 without PEFNG license

I am starting from scratch to set up a wireless network with a 7210 controller. We don't have PEFNG licenses. I thought general wireless network connections should be still possible but for whatever reason, I fail.
 
It's currently version 6.5.0.4. I get the device connected to the SSID and authenticated using 802.1x with our radius server but the controller assigns the role "guest-role".
 
Without PEFNG license I cannot add new roles, I cannot modify roles, I cannot modify the ACLs on the guest-role. The ACLs are empty, thus the implicit deny denies all traffic.
 
I have been searching through the documentation for a couple of hours by now but haven't found how to get this working. All I find uses roles/policies which only work with PEFNG licenses.
 
Is it possible to get this working without PEFNG licenses?
 
Thanks!

Re: How to use 7210 without PFENG license

What is your 802.1x default role under the AAA profile? Can you change this to authenticated as I believe this allows all even without a PEF-NG license.

 

(wlc-001) #show aaa profile AAA-CORP

AAA Profile "AAACorp"
---------------------
Parameter                           Value
---------                           -----
Initial role                        logon
802.1X Authentication Profile       8021xCorp
802.1X Authentication Default Role  authenticated

 

 


ACMA, ACMP
If my post addresses your query, give kudos:)
Guru Elite

Re: How to use 7210 without PFENG license


gvde wrote:

I am starting from scratch to set up a wireless network with a 7210 controller. We don't have PFENG licenses. I thought general wireless network connections should be still possible but for whatever reason, I fail.

 

It's currently version 6.5.0.4. I get the device connected to the SSID and authenticated using 802.1x with out radius server but the controller assigns the role "guest-role".

 

Without PFENG license I cannot add new roles, I cannot modify roles, I cannot modify the ACLs on the guest-role. The ACLs are empty, thus the implicit deny denies all traffic.

 

I have been searching through the documentation for a couple of hours by now but haven't found how to get this working. All I find uses roles/policies which only work with PEFNG licenses.

 

Is it possible to get this working without PEFNG licenses?

 

Thanks!


Did you use the WLAN Wizard to create your SSID?  It should lead you through the process and be straightforward.  When you say "authenticated via 802.1x without radius server", what is doing the authentication, the controller?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: How to use 7210 without PFENG license

The 802.1x default role option is only available with PEFNG license...
Contributor I

Re: How to use 7210 without PFENG license

I have used the wizard but also tried a lot more.

It's supposed to say "with our radius"... sorry. Edited the original question...
Guru Elite

Re: How to use 7210 without PFENG license

Did you put the clients in a vlan that exists on the controller?
Do you see your radius server responding to authentication?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: How to use 7210 without PFENG license

RADIUS Authentication works fine. The connection gets authenticated and the user is even assigned to the specific VLAN. The VLAN does exist.

 

When I am connected and run a tcpdump on the wireless interface of the client I can even see the spanning tree frames, but nothing else except the outgoing DHCP requests.

Guru Elite

Re: How to use 7210 without PFENG license

Is there a DHCP server on that VLAN?  If yes, it should respond...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: How to use 7210 without PFENG license

Of course there is a DHCP server on that VLAN and it assigns IP addresses if it receives an DHCP request. But it doesn't receive anything from the wireless client. The wireless client should also receive some other broadcast traffic on that VLAN which I see on a wired client.

 

Again: the controller assigns the guest role to the authenticated user. The guest role has two access lists global-sacl and apprf-guest-sacl which both are empty. If I am not mistaken empty means "implicit deny all". And that's very much matches to what I see with the packet sniffer on the wireless client...

Guru Elite

Re: How to use 7210 without PFENG license

If you don't have a PEF license, there are no "roles" or "acls" because nothing is blocked.  I would try to assign another port on the controller to that VLAN, plug into it wired and see if you get an ip address.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: