03-22-2017 10:38 AM
Orignally 7205 contoller had PEF lincense and MAC Authentication was configured, now PEF License was removed (not intentionally). It appears that MAC Authentication is still functioning, but user role assignment does not appear to be consistent. I am not sure how to change MAC Authentication default role. Can the CLI be used for this, or must the PEF License be added back to the controller for that functionality?
(aruba_lab_master) #show aaa profile aruba_WLAN-aaa_prof
AAA Profile "Aruba_WLAN-aaa_prof"
Initial role logon
MAC Authentication Profile default
MAC Authentication Server Group tekradius
802.1X Authentication Profile dot1x_prof-dqe12
802.1X Authentication Server Group N/A
Download Role from CPPM Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled
Solved! Go to Solution.
03-22-2017 11:18 AM
I will add the license back, but I am wondering where are the role assignments coming from if they are not listed in the aaa profile, are they cached somewhere?
03-22-2017 12:11 PM
There is no concept of "role" when the PEF license is not installed. You are either authenticated or not. I would look at the flash to see if there was a configuration saved before the PEF license was removed to restore your full configuration. Running a production controller after removing the PEF license is a rare occurrence, and what happens after that is unpredictable.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
03-22-2017 03:17 PM
If setup MAC authentication without PEF what happens
03-23-2017 01:25 AM
What happens when you add a PEF license is that yo can define roles on the controller. As soon as the license is removed (or expired in the case of an evaluation license), on a reboot each configured role is removed from the running configuration. That means that as soon as you reboot the controller without a PEF license active, all user-defined roles are removed, and just the system 'authenticated' role with full access remains.
The referred article mentions the same: you need PEF for role-based access, without PEF just full access, and that is the same for MAC, 802.1X, WPA2-Enterprise, and so on. Without the PEF license, you can return VLAN attributes during the authentication, just no roles as those are unavailable in that case.
If you need a copy of your lost license, you can ask Aruba TAC for assistance. They should be able to provide you with the existing license if you mention the serial number of the controller.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).