Wireless Access

Reply
MVP
Posts: 756
Registered: ‎03-25-2009

PEFVPN and RFC-3576 bug?

While setting up an Aruba (demo) controller to authenticate with clearpass I ran across the following issue in both 6.1.3.5 and 6.2.0.3.

When I had only the PEF-VPN license active I could not set up the RFC-3567 server. Selecting the settings through config > aiuthentication or config > all profiles > wireless lan resulted in the following error with chrome, firefox and IE:

 

cannot-add-rfc-pefvpn.png.

 

After adding some PEFNG licenses this error disappeared and I was able to set the rfc-3576 server without any error. Is this expected behaviour?

 

I was told that the PEF-VPN is "a PEFNG with VPN added on top of it". If this isn't the case, can somebody explain the differences?

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 707
Registered: ‎12-01-2010

Re: PEFVPN and RFC-3576 bug?

As a side-note, I'm running without PEF and trying to set up ClearPass -- am I in trouble?

 

I note that there is no option for RFC-3576 in my controller.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Guru Elite
Posts: 20,808
Registered: ‎03-29-2007

Re: PEFVPN and RFC-3576 bug?

PEFNG allow you to assign roles to users

PEF-VPN allows you to assign different roles to VPN users.

 

RFC-3576 requires PEFNG

PEF-VPN needs PEFNG to work correctly (a.k.a. if you don't have PEFNG, what roles are you going to assign VPN users to?)



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 756
Registered: ‎03-25-2009

Re: PEFVPN and RFC-3576 bug?

[ Edited ]

If you look at the price of a PEFV license I would sure hope that would include the PEFNG. :P

 

But you sure can create and apply user-roles to any user-type with just the PEFV license.. See the output blow or test yourself.

In fact.. the only thing I've found that doesn't work with just the PEFV is the rfc-3576 server and that pops up an error that it can't do a certain show command where normaly the entry would just be hidden.

 

(Staging-Aruba3600) #show license

License Table
-------------
Key Installed Expires Flags Service Type
--- --------- ------- ----- ------------

<lic key here> 2013-02-27 2013-03-29 E Access Points: 2048 03:14:31[2] 03:14:31
<lic key here> 2013-02-27 2013-03-29 E Policy Enforcement Firewall for VPN users 03:14:42[3] 03:14:42

License Entries: 10 (all the others are not enabled)

Flags: A - auto-generated; E - enabled; R - reboot required to activate

(Staging-Aruba3600) #show rights

RoleTable
---------
Name ACL Bandwidth ACL List Type
---- --- --------- -------- ----
ap-role 4 Up: No Limit,Dn: No Limit System
authenticated 59 Up: No Limit,Dn: No Limit allowall/,v6-allowall/ User
block-ftp 54 Up: No Limit,Dn: No Limit block-ftp/,allowall/ User
block-telnet 56 Up: No Limit,Dn: No Limit block-telnet/,allowall/ User
cpbase 14 Up: No Limit,Dn: No Limit cpbase/ User
default-via-role 58 Up: No Limit,Dn: No Limit allowall/ User
default-vpn-role 55 Up: No Limit,Dn: No Limit allowall/,v6-allowall/ User
denyall 12 Up: No Limit,Dn: No Limit denyall/ User
guest 3 Up: No Limit,Dn: No Limit User
guest-logon 6 Up: No Limit,Dn: No Limit User
logon 1 Up: No Limit,Dn: No Limit User
stateful-dot1x 5 Up: No Limit,Dn: No Limit System
sys-ap-role 7 Up: No Limit,Dn: No Limit sys-control/,sys-ap-acl/ System (not editable)
voice 57 Up: No Limit,Dn: No Limit sip-acl/,noe-acl/,svp-acl/,vocera-acl/,skinny-acl/,h323-acl/,dhcp-acl/,tftp-acl/,dns-acl/,icmp-acl/ User

Total Roles:14

 

 

(Staging-Aruba3600) #show u

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
192.168.253.19 60:67:20:ca:b1:28 dimitri block-telnet 00:00:00 802.1x cppm-poc-105 Wireless cppm-poc/d8:c7:c8:6a:1d:a8/a-HT cppm-poc tunnel

User Entries: 1/1

 

 

So, could you please doublecheck this info and get back to us?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Moderator
Posts: 243
Registered: ‎09-12-2007

Re: PEFVPN and RFC-3576 bug?

Lots of confusion on this topic...

 

PEF-NG lets you apply firewall rules to users coming into the system through wireless APs, or wired ports. This is the "standard" PEF license that most people use, and it's tied to the number of AP licenes you have.  LIC-AP and LIC-PEFNG should always match (you can have LIC-AP smaller than LIC-PEFNG, but not the other way around or bad things happen.)

 

PEF-V lets you apply firewall rules to users coming into the system through VPN tunnels. It's there for when you're using the controller as a VPN concentrator. PEFV is also the license that allows you to use the VIA client (VIA is not licensed on a per-seat or per-connection basis).

---
Jon Green, ACMX, CISSP
Security Guy
Moderator
Posts: 243
Registered: ‎09-12-2007

Re: PEFVPN and RFC-3576 bug?

Getting back to the original question - this looks like it could be a bug.  RFC3576 should be available without any license at all (although that wasn't always true, which is probably what is triggering this.)  I'll open a bug to track it.

---
Jon Green, ACMX, CISSP
Security Guy
Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: PEFVPN and RFC-3576 bug?

So just to clarify, if I wanted a purely via deployment, I'd need the PEFV and 1 x PEFNG ?

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: