Wireless Access

Orignally 7205 contoller had PEF lincense and MAC Authentication was configured, now PEF License was removed (not intentionally). It appears that MAC Authentication is still functioning, but user role assignment does not appear to be consistent. I am not sure how to change MAC Authentication default role. Can the CLI be used for this, or must the PEF License be added back to the controller for that functionality?

(aruba_lab_master) #show aaa profile aruba_WLAN-aaa_prof

AAA Profile "Aruba_WLAN-aaa_prof"
---------------------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile default
MAC Authentication Server Group tekradius
802.1X Authentication Profile dot1x_prof-dqe12
802.1X Authentication Server Group N/A
Download Role from CPPM Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled

(aruba_lab_master) #

I will add the license back, but I am wondering where are the role assignments coming from if they are not listed in the aaa profile, are they cached somewhere?

There is no concept of "role" when the PEF license is not installed.  You are either authenticated or not.  I would look at the flash to see if there was a configuration saved before the PEF license was removed to restore your full configuration.  Running a production controller after removing the PEF license is a rare occurrence, and what happens after that is unpredictable.

What about this https://community.arubanetworks.com/t5/Security/MAC-Authentication-with-PEF-Licencse/m-p/111141

If setup MAC authentication without PEF what happens

What happens when you add a PEF license is that yo can define roles on the controller. As soon as the license is removed (or expired in the case of an evaluation license), on a reboot each configured role is removed from the running configuration. That means that as soon as you reboot the controller without a PEF license active, all user-defined roles are removed, and just the system 'authenticated' role with full access remains.

The referred article mentions the same: you need PEF for role-based access, without PEF just full access, and that is the same for MAC, 802.1X, WPA2-Enterprise, and so on. Without the PEF license, you can return VLAN attributes during the authentication, just no roles as those are unavailable in that case.

If you need a copy of your lost license, you can ask Aruba TAC for assistance. They should be able to provide you with the existing license if you mention the serial number of the controller.