Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

PEFVPN and RFC-3576 bug?

This thread has been viewed 0 times

  • 1.  PEFVPN and RFC-3576 bug?

    MVP
    Posted Feb 27, 2013 12:06 PM

    While setting up an Aruba (demo) controller to authenticate with clearpass I ran across the following issue in both 6.1.3.5 and 6.2.0.3.

    When I had only the PEF-VPN license active I could not set up the RFC-3567 server. Selecting the settings through config > aiuthentication or config > all profiles > wireless lan resulted in the following error with chrome, firefox and IE:

     

    cannot-add-rfc-pefvpn.png.

     

    After adding some PEFNG licenses this error disappeared and I was able to set the rfc-3576 server without any error. Is this expected behaviour?

     

    I was told that the PEF-VPN is "a PEFNG with VPN added on top of it". If this isn't the case, can somebody explain the differences?

     



  • 2.  RE: PEFVPN and RFC-3576 bug?

    Posted Feb 27, 2013 12:25 PM

    As a side-note, I'm running without PEF and trying to set up ClearPass -- am I in trouble?

     

    I note that there is no option for RFC-3576 in my controller.



  • 3.  RE: PEFVPN and RFC-3576 bug?

    EMPLOYEE
    Posted Feb 27, 2013 01:04 PM

    PEFNG allow you to assign roles to users

    PEF-VPN allows you to assign different roles to VPN users.

     

    RFC-3576 requires PEFNG

    PEF-VPN needs PEFNG to work correctly (a.k.a. if you don't have PEFNG, what roles are you going to assign VPN users to?)



  • 4.  RE: PEFVPN and RFC-3576 bug?

    MVP
    Posted Feb 27, 2013 02:18 PM

    If you look at the price of a PEFV license I would sure hope that would include the PEFNG. :P

     

    But you sure can create and apply user-roles to any user-type with just the PEFV license.. See the output blow or test yourself.

    In fact.. the only thing I've found that doesn't work with just the PEFV is the rfc-3576 server and that pops up an error that it can't do a certain show command where normaly the entry would just be hidden.

     

    (Staging-Aruba3600) #show license

    License Table
    -------------
    Key Installed Expires Flags Service Type
    --- --------- ------- ----- ------------

    <lic key here> 2013-02-27 2013-03-29 E Access Points: 2048 03:14:31[2] 03:14:31
    <lic key here> 2013-02-27 2013-03-29 E Policy Enforcement Firewall for VPN users 03:14:42[3] 03:14:42

    License Entries: 10 (all the others are not enabled)

    Flags: A - auto-generated; E - enabled; R - reboot required to activate

    (Staging-Aruba3600) #show rights

    RoleTable
    ---------
    Name ACL Bandwidth ACL List Type
    ---- --- --------- -------- ----
    ap-role 4 Up: No Limit,Dn: No Limit System
    authenticated 59 Up: No Limit,Dn: No Limit allowall/,v6-allowall/ User
    block-ftp 54 Up: No Limit,Dn: No Limit block-ftp/,allowall/ User
    block-telnet 56 Up: No Limit,Dn: No Limit block-telnet/,allowall/ User
    cpbase 14 Up: No Limit,Dn: No Limit cpbase/ User
    default-via-role 58 Up: No Limit,Dn: No Limit allowall/ User
    default-vpn-role 55 Up: No Limit,Dn: No Limit allowall/,v6-allowall/ User
    denyall 12 Up: No Limit,Dn: No Limit denyall/ User
    guest 3 Up: No Limit,Dn: No Limit User
    guest-logon 6 Up: No Limit,Dn: No Limit User
    logon 1 Up: No Limit,Dn: No Limit User
    stateful-dot1x 5 Up: No Limit,Dn: No Limit System
    sys-ap-role 7 Up: No Limit,Dn: No Limit sys-control/,sys-ap-acl/ System (not editable)
    voice 57 Up: No Limit,Dn: No Limit sip-acl/,noe-acl/,svp-acl/,vocera-acl/,skinny-acl/,h323-acl/,dhcp-acl/,tftp-acl/,dns-acl/,icmp-acl/ User

    Total Roles:14

     

     

    (Staging-Aruba3600) #show u

    Users
    -----
    IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
    ---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
    192.168.253.19 60:67:20:ca:b1:28 dimitri block-telnet 00:00:00 802.1x cppm-poc-105 Wireless cppm-poc/d8:c7:c8:6a:1d:a8/a-HT cppm-poc tunnel

    User Entries: 1/1

     

     

    So, could you please doublecheck this info and get back to us?



  • 5.  RE: PEFVPN and RFC-3576 bug?

    EMPLOYEE
    Posted Feb 27, 2013 04:25 PM

    Lots of confusion on this topic...

     

    PEF-NG lets you apply firewall rules to users coming into the system through wireless APs, or wired ports. This is the "standard" PEF license that most people use, and it's tied to the number of AP licenes you have.  LIC-AP and LIC-PEFNG should always match (you can have LIC-AP smaller than LIC-PEFNG, but not the other way around or bad things happen.)

     

    PEF-V lets you apply firewall rules to users coming into the system through VPN tunnels. It's there for when you're using the controller as a VPN concentrator. PEFV is also the license that allows you to use the VIA client (VIA is not licensed on a per-seat or per-connection basis).



  • 6.  RE: PEFVPN and RFC-3576 bug?

    EMPLOYEE
    Posted Feb 27, 2013 04:28 PM

    Getting back to the original question - this looks like it could be a bug.  RFC3576 should be available without any license at all (although that wasn't always true, which is probably what is triggering this.)  I'll open a bug to track it.



  • 7.  RE: PEFVPN and RFC-3576 bug?

    EMPLOYEE
    Posted Jun 22, 2013 04:03 AM
    So just to clarify, if I wanted a purely via deployment, I'd need the PEFV and 1 x PEFNG ?