Wireless Access

Hi gurus,

 

I have a customer who was using temporary PEF licenses, but they are going to expire. He doesn't want to purchase again these licenses, and according to my Aruba SE, if he only uses the built-in roles in the controller, he can be fine with these licenses. In order to do so, he is only using the "authenticated" role for the employee SSID and for the guest "SSID" he is going to change his old "ldsguestls-cp_prof_new" role for the built-in "guest-logon" role. After doing this, captive portal kept working, and then we removed the PEF license. After the removal, we reboot an AP to test, but the AP came up with flags "IL" (inactive, unlicensed). So it seems we still need the licenses. Although right now we are using only built-in roles, we didn't delete the roles my customer created when he had PEF licenses, as showed below:

Do we need to delete these roles from the User Roles tab?

 

Regards,

Julián

 

 

Deleting or letting the PEF license expire leads to unpredictable results, because it is not done often.

 

With that being said, you should type "show keys" on the controller to see what licenses the user has.  There could be other temporary licenses that expired and now the user does not have enough licenses for his access points.

 

Just having roles configured will not trigger a user's access points to be unlicensed.  It is quite possible that the customer STILL has some PEF licenses and now that is limiting how many access points can come up.

Pretty sure you'll need to reboot the controller(s), not just the APs to make this work.

Now the controller has loaded config that they do not support. On reboot it should actualy remove the 'non-supported' user-roles and such.

Hi guys, thanks for your interest.

 

@Colin,

 

These are the licenses customer has:The second to last PEF license is the license customer had, it expired some time ago and then customer started with the problems because he was using non-built-in roles. Then the Aruba regional team issued a temporary PEF license (the last in the list). When we made the configuration for using only built-in roles, we removed the last license to check if we really still needed it or not, and when rebooting an AP it came up with IL flags.

 

@Koen,

 

Do you mean to reboot both master and local controllers? Do you mean after rebooting the 'non-supported' user-roles will be removed from the User Roles tab automatically? I am afraid after rebooting both controllers all the APs appear as IL...

 

Regards,

Julián

I did mean rebooting both controllers yes but looking at your screenshot you again have a PEF eval license active so rebooting won't change anything for you at this time.

Are you still having the IL flag issues with this EVAL license?

 

You currently should be able to terminarte 20 APs. How many are you effectively using?  Your usage says 19, but the standby usage says 22?

 

How many APs have the IL flags? Do you have centralized licensing active so both controllers can use all licenses? 

Can you show us a "show ap database long"?

Does the system logs give any usefull clue?

 

---

@koen wrote:

I did mean rebooting both controllers yes but looking at your screenshot you again have a PEF eval license active so rebooting won't change anything for you at this time.

Are you still having the IL flag issues with this EVAL license?

 

You currently should be able to terminarte 20 APs. How many are you effectively using?  Your usage says 19, but the standby usage says 22?

 

How many APs have the IL flags? Do you have centralized licensing active so both controllers can use all licenses? 

Can you show us a "show ap database long"?

Does the system logs give any usefull clue?

 

---

Hi Koen,

 

Sorry for the late reply, I was busy and forgot it. Yes, I have a PEF eval license, and I didn't have the IL flags issues with these license. As I said:

 

After doing this, captive portal kept working, and then we removed the PEF license. After the removal, we reboot an AP to test, but the AP came up with flags "IL" (inactive, unlicensed).

 

After making the configuration for using only default roles, I removed the PEF eval license to check if I still needed it, and then the IL flags appeared. I am managing around 42 or 43 APs, I don't remember exactly, but the thing is half of them are pointing to the local controller, and the other half are pointing to the master controller (where I took the image, and because that they appear as standby).

After removing the PEF eval license, all the APs I reboot come up with IL flags. And yes, centralized licensing is enabled.

I am not at customer side these days so I can't run the commands to answer your two last questions.

 

Regards,

Julián

 

 

After removing the PEF eval license, all the APs I reboot come up with IL flags. And yes, centralized licensing is enabled.

I am not at customer side these days so I can't run the commands to answer your two last questions.

Regards,

Julián

---

When removing licenses, you'll need to reboot the controller (not just the AP) for the change to take place. I suspect what's happening here is that the AP was rebooted, finds the controller still has PEF active, but has not available PEF licenses for the AP to join, and thus the IL flag. With the controller reboot, PEF will not longer be active and so available PEF licenses will not be considered.

Hi Charlie,

 

Thanks for the information, then I will try that. Both master and local controllers or just the master controller?

 

Regards,

Julián

---

@fjulianom wrote:

Hi Charlie,

 

Thanks for the information, then I will try that. Both master and local controllers or just the master controller?

 

Regards,

Julián

---

Ideally both, but at least the controller where the AP terminates (local?).

 

Once the local is rebooted, you can check for profile errors to make sure there wasn't any non-default profiles configured on the master that the local can't install due to licensing. (show profile-errors)

Hi guys,

 

Rebooting the controllers wasn't the solution. Yesterday night I changed the configuration for using only default roles, I deleted the eval PEF license and rebooted both controllers. Then I reboot an AP to check the results, and the AP came up with IL flags again. I open a TAC cases and they told me to do a factory reset on both controllers, but I doubt this solve this issue. Also I am afraid to do a factory reset an already deployed master-local topology. I have attached the master configuration in case you see something weird, as well as the commands that show the AP requires a license and the AP has IL flags.

 

Regards,

Julián

We need the output of "show keys".  

Hi Colin,

 

I don't have access right now to the controller, what is that command used for?

 

Regards,

Julián

It would tell you how many licenses you actually have.

It is also not a good practice to add and remove PEF licenses, because it will also remove functional configuration and break them as a result.

Hi Colin,

 

The licenses we have are those I attached in message 4, and we deleted the last PEF license. We don't add and remove licenses just because, the reason is because the PEF license is going to expire and customer don't want to purchase these licenses, since he isn't going to use the PEF module.

 

Regards,

Julián

Looking at it again, you have 42 RFProtect licenses and 43 access points.  You would need another RF protect license to bring that 43rd accesss point up.

Hi Colin,

 

Yes, and I also have 42 AP capacity licenses, but after adding the eval PEF license again, the AP came up correctly, so it seems a PEF license issue. Also we have 43 APs, but two of them were down.

 

Regards,

Julián

If you are removing all of your PEF licenses, your problem is that you don't have enough RF Protect licenses.

Hi Colin,

 

But what is the relation between RF Protect licenses and PEF licenses?

 

1. We don't use the RF Protect module, we don't have air monitors.

2. Even with only 41 active APs (two were down), we need 43 RF Protect licenses? And what about the 42 AP capacity licenses we have?

 

Regards,

Julián

If you have AP, PEF and RFP licenses, you will only be allowed to bring up access points that are equal to the lesser of the three licenses.

Right now if you have 42 AP, 43 RFP and 2000 PEF, only 42 APS will be allowed to be used on that controller.  

If you have AP, PEF and RFP licenses, you will only be allowed to bring up access points that are equal to the lesser of the three licenses.

Right now if you have 42 AP, 43 RFP and 2000 PEF, only 42 APS will be allowed to be used on that controller.  

Yes, that's right. Right now I have 42 AP, 42 RFP and 2048 PEF, and I have 41 APs up (consider two are off). Yesterday night when I removed the PEF licenses I had 42 AP and 42 RFP and 41 APs up. After rebooting an AP I ended up with 40 APs up and this last AP with IL flags, and still I had 42 AP and 42 RFP licenses. So the licenses quantity is not the problem.

Regards,
Julián

Keep working with TAC.  My advice is limited to my experience with licensing so my advice is based on that.  Let us know how this is resolved.

Hi,

 

Without PEF licenses there is NO firewall if i am correct. So mixing a corporate and guest SSID might not be the best option.

 

 

Is this for the controller internal captive portal or external ?

Sent from Mail for Windows 10

Hi Victor,

It is the internal controller captive portal.

Regards,
Julián

Yes, it makes sense but my customer is using only default roles for both the corporate and guest SSIDs, so PEF licenses wouldn't be needed.

Regards,
Julián

Hi Julian,

 

Please use a seperated VLAN for Guest and don't assign an IP for this vlan on the Controller. So no guest can access the internal VLAN's. You don't have a firewall on the controller!