Wireless Access

Reply
Occasional Contributor II

PEFNG Questions

Hello all.  I have a couple of  weird questions about PEFNG and some issues I have ran into.

 

First of all, right now I do not have the PEFNG license installed on our 3200 controller.  After we upgraded to Aruba OS 5, we had issues with DHCP not working correctly to our tunneled access points, so we ditched PEFNG.  We are now running 6.2.13 I believe.  Anyway, I am needing to throttle a certain SSID, but from what I have seen you can't do it without the PEFNG license installed.  So, I installed it the other night, DHCP worked fine, but now I get a web page that pops up that there was an authentication error and you cannot continue.  This happens on any device I try to connect to them.  We are not using any type of authentication, only the SSID passwords.  Any ideas?

Guru Elite

Re: PEFNG Questions

Do you have a captive portal configured for this SSID?

What ACLs are in your user role?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba

Re: PEFNG Questions

When you come from a non-PEFNG install to one that has PEFNG installed, you change the nature of roles and access policies.   The role that was in place before was probably sufficient for your use, but now that you have PEFNG installed, it is likely trying to redirect you to a Captive Portal page.

 

For example, the initial role of a AAA profile without PEFNG is "logon".   This role when PEFNG installed is configured for Captive Portal.

 

Run show user to see what role the users are in

Run show rights <name-of-role> to see what policies are applied to the user now

 

If you want to allow the users full access (may be recommended until you determine how you want to use the roles/policies):

 

config t

aaa profile <name-of-AAA-profile>

initial-role authenticated

wr memory

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II

Re: PEFNG Questions

So, you are saying that where it says initial role logon here will change to captive portal when I install the PEFNG license?
Occasional Contributor II

Re: PEFNG Questions

Where would I check to see if an SSID has captive portal turned on?  Even though we have had this Aruba system a few years, I still am not sure where some things are, and using SSH is even worse since I am not sure on commands.

Guru Elite

Re: PEFNG Questions

What type of authentication are you using on the SSID?

 

What is your initial role in the AAA profile?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba

Re: PEFNG Questions

The AAA profile you showed has logon as the initial role.  You mentioned on PSK authentication, so this is the role the users are likely getting assigned.  This logon role has captiveportal policies assigned, but typically does not have a default captive portal profile assigned.    The role itself will not change to "captive portal".    If you don't want any of this behavior, change your default role:

 

config t

aaa profile Greenbush-aaa-prof

initial-role authenticated

 

By the way, was that screenshot before the PEFNG loaded?   If that is how it looks now, have you rebooted since you installed the PEFNG license?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II

Re: PEFNG Questions

I think the role is above in the jpeg I attached.  Right now all three SSID's are open with no password.  But I am wanting to add a password to our main one, but throttle our open SSID.

Occasional Contributor II

Re: PEFNG Questions

That screenshot is now, but I have uninstalled the license again so clients could connect.

Aruba

Re: PEFNG Questions

OK.    After reapplying the license and rebooting, you can change the initial-role to something like "authenticated" which will give the users full access.   You can then work on setting up a new role to assign to the specific network with bandwidth restrictions as necessary.

 


clembo wrote:

 

config t

aaa profile Greenbush-aaa-prof

initial-role authenticated

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: