Wireless Access

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Original Message:
Sent: 9/10/2023 10:19:00 AM
From: chulcher
Subject: RE: cannot apply authenticated role without PEF

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 10, 2023 09:56 AM
From: Ronin101
Subject: cannot apply authenticated role without PEF

Original Message:
Sent: 9/10/2023 9:54:00 AM
From: chulcher
Subject: RE: cannot apply authenticated role without PEF

Did you modify the authenticated user role in any way?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 10, 2023 08:42 AM
From: Ronin101
Subject: cannot apply authenticated role without PEF

Original Message:
Sent: 9/10/2023 8:25:00 AM
From: shpat
Subject: RE: cannot apply authenticated role without PEF

You need PEF License if you want to create Roles. You can try to use default roles, it might work.

---------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP |
-Just an Aruba enthusiast and contributor by cases
Original Message:
Sent: Sep 10, 2023
From: Ronin101
Subject: cannot apply authenticated role without PEF

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Systems without PEF are quite rare, so it may be hard to get a proper answer.

It seems that for some reason the system feels that the authenticated role has been modified. Depending on where you are in the process, doing a complete wipe (wr erase, or write erase all; please make sure you backup configuration AND licenses! as with write erase all licenses are also removed), and start over may be the quickest solution.

If you have active support, you may open a TAC case as well.

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Systems without PEF are quite rare, so it may be hard to get a proper answer.

It seems that for some reason the system feels that the authenticated role has been modified. Depending on where you are in the process, doing a complete wipe (wr erase, or write erase all; please make sure you backup configuration AND licenses! as with write erase all licenses are also removed), and start over may be the quickest solution.

If you have active support, you may open a TAC case as well.

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Looked around a little more, PEF specifically enables identity based access controls.  While the error message is a bit misleading, I'm betting it stems from your modification of the AAA profile as that also requires PEF.

So, ANY modification of AAA profiles, user roles, ACLs, firewall policies, etc., requires PEF.

Systems without PEF are quite rare, so it may be hard to get a proper answer.

It seems that for some reason the system feels that the authenticated role has been modified. Depending on where you are in the process, doing a complete wipe (wr erase, or write erase all; please make sure you backup configuration AND licenses! as with write erase all licenses are also removed), and start over may be the quickest solution.

If you have active support, you may open a TAC case as well.

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Looked around a little more, PEF specifically enables identity based access controls.  While the error message is a bit misleading, I'm betting it stems from your modification of the AAA profile as that also requires PEF.

So, ANY modification of AAA profiles, user roles, ACLs, firewall policies, etc., requires PEF.

Systems without PEF are quite rare, so it may be hard to get a proper answer.

It seems that for some reason the system feels that the authenticated role has been modified. Depending on where you are in the process, doing a complete wipe (wr erase, or write erase all; please make sure you backup configuration AND licenses! as with write erase all licenses are also removed), and start over may be the quickest solution.

If you have active support, you may open a TAC case as well.

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Looked around a little more, PEF specifically enables identity based access controls.  While the error message is a bit misleading, I'm betting it stems from your modification of the AAA profile as that also requires PEF.

So, ANY modification of AAA profiles, user roles, ACLs, firewall policies, etc., requires PEF.

Systems without PEF are quite rare, so it may be hard to get a proper answer.

It seems that for some reason the system feels that the authenticated role has been modified. Depending on where you are in the process, doing a complete wipe (wr erase, or write erase all; please make sure you backup configuration AND licenses! as with write erase all licenses are also removed), and start over may be the quickest solution.

If you have active support, you may open a TAC case as well.

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Looked around a little more, PEF specifically enables identity based access controls.  While the error message is a bit misleading, I'm betting it stems from your modification of the AAA profile as that also requires PEF.

So, ANY modification of AAA profiles, user roles, ACLs, firewall policies, etc., requires PEF.

Systems without PEF are quite rare, so it may be hard to get a proper answer.

It seems that for some reason the system feels that the authenticated role has been modified. Depending on where you are in the process, doing a complete wipe (wr erase, or write erase all; please make sure you backup configuration AND licenses! as with write erase all licenses are also removed), and start over may be the quickest solution.

If you have active support, you may open a TAC case as well.

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Not knowing exactly what you are doing, don't really know.

But the short of it is that it sounds like you are trying to skate around needing PEF licensing, which isn't going to work out very well.  Some items are very strictly enforced, other items not so much, but at the end of the day PEF is required for just about anything having to do with identity or policy.  Start with the assumption that PEF is required (RFProtect is slightly more optional) and go from there.

Thankfully we don't break out this functionality as a separate license level in AOS 10.

Looked around a little more, PEF specifically enables identity based access controls.  While the error message is a bit misleading, I'm betting it stems from your modification of the AAA profile as that also requires PEF.

So, ANY modification of AAA profiles, user roles, ACLs, firewall policies, etc., requires PEF.

Systems without PEF are quite rare, so it may be hard to get a proper answer.

It seems that for some reason the system feels that the authenticated role has been modified. Depending on where you are in the process, doing a complete wipe (wr erase, or write erase all; please make sure you backup configuration AND licenses! as with write erase all licenses are also removed), and start over may be the quickest solution.

If you have active support, you may open a TAC case as well.

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Yes that is totally understood. 

I have attached video also, just in case if you want to view. 

I know without PEF, nothing much can be done

Not knowing exactly what you are doing, don't really know.

But the short of it is that it sounds like you are trying to skate around needing PEF licensing, which isn't going to work out very well.  Some items are very strictly enforced, other items not so much, but at the end of the day PEF is required for just about anything having to do with identity or policy.  Start with the assumption that PEF is required (RFProtect is slightly more optional) and go from there.

Thankfully we don't break out this functionality as a separate license level in AOS 10.

Looked around a little more, PEF specifically enables identity based access controls.  While the error message is a bit misleading, I'm betting it stems from your modification of the AAA profile as that also requires PEF.

So, ANY modification of AAA profiles, user roles, ACLs, firewall policies, etc., requires PEF.

Systems without PEF are quite rare, so it may be hard to get a proper answer.

It seems that for some reason the system feels that the authenticated role has been modified. Depending on where you are in the process, doing a complete wipe (wr erase, or write erase all; please make sure you backup configuration AND licenses! as with write erase all licenses are also removed), and start over may be the quickest solution.

If you have active support, you may open a TAC case as well.

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

You try to change the initial role in your video. I think you can just leave the initial role as without PEF there should always be a role authenticated (or not even that), so whatever you apply should not be relevant.

Have you tried with the unmodified settings what is the actual role that a client gets?

Yes that is totally understood. 

I have attached video also, just in case if you want to view. 

I know without PEF, nothing much can be done

Not knowing exactly what you are doing, don't really know.

But the short of it is that it sounds like you are trying to skate around needing PEF licensing, which isn't going to work out very well.  Some items are very strictly enforced, other items not so much, but at the end of the day PEF is required for just about anything having to do with identity or policy.  Start with the assumption that PEF is required (RFProtect is slightly more optional) and go from there.

Thankfully we don't break out this functionality as a separate license level in AOS 10.

Looked around a little more, PEF specifically enables identity based access controls.  While the error message is a bit misleading, I'm betting it stems from your modification of the AAA profile as that also requires PEF.

So, ANY modification of AAA profiles, user roles, ACLs, firewall policies, etc., requires PEF.

Systems without PEF are quite rare, so it may be hard to get a proper answer.

It seems that for some reason the system feels that the authenticated role has been modified. Depending on where you are in the process, doing a complete wipe (wr erase, or write erase all; please make sure you backup configuration AND licenses! as with write erase all licenses are also removed), and start over may be the quickest solution.

If you have active support, you may open a TAC case as well.

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

You try to change the initial role in your video. I think you can just leave the initial role as without PEF there should always be a role authenticated (or not even that), so whatever you apply should not be relevant.

Have you tried with the unmodified settings what is the actual role that a client gets?

Yes that is totally understood. 

I have attached video also, just in case if you want to view. 

I know without PEF, nothing much can be done

Not knowing exactly what you are doing, don't really know.

But the short of it is that it sounds like you are trying to skate around needing PEF licensing, which isn't going to work out very well.  Some items are very strictly enforced, other items not so much, but at the end of the day PEF is required for just about anything having to do with identity or policy.  Start with the assumption that PEF is required (RFProtect is slightly more optional) and go from there.

Thankfully we don't break out this functionality as a separate license level in AOS 10.

Looked around a little more, PEF specifically enables identity based access controls.  While the error message is a bit misleading, I'm betting it stems from your modification of the AAA profile as that also requires PEF.

So, ANY modification of AAA profiles, user roles, ACLs, firewall policies, etc., requires PEF.

Systems without PEF are quite rare, so it may be hard to get a proper answer.

It seems that for some reason the system feels that the authenticated role has been modified. Depending on where you are in the process, doing a complete wipe (wr erase, or write erase all; please make sure you backup configuration AND licenses! as with write erase all licenses are also removed), and start over may be the quickest solution.

If you have active support, you may open a TAC case as well.

Are you using 802.1X to attempt to assign the 'authenticated' role?  That's default AAA profile and method is the only combination that results in 'authenticated' being applied.  You should also be able to return 'authenticated' via RADIUS.

Been a long time since I ran anything without PEF (as PEF should be considered mandatory for operation) but I think one of the restrictions is the inability to modify the AAA profile to set a different initial or default role.

Did you modify the authenticated user role in any way?

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Hi, Herman is right, without PEF license you cannot and should not worry about user-roles as you are not able to assign or modify them. 

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

Hi, Herman is right, without PEF license you cannot and should not worry about user-roles as you are not able to assign or modify them. 

Dear All, 

I have installed VMC and AP license only. When i create the SSID, i dont get option to change the role, its set to logon. When i got to AAA profiles and try to change it from there under initial role, it gives me below error. Why is this so? authenticated role is predefined right?

Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall