Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Configured roles not used after enabling PEF feature

This thread has been viewed 18 times
  • 1.  Configured roles not used after enabling PEF feature

    Posted Jul 27, 2022 11:01 AM
    Hi Guys!

    We have a large Aruba wireless network, and unfortunately the PEF feature was not enabled at the time of installation. Since we want to use Guest Portal, we are now forced to implement it.
    We use external firewalls for traffic filtering, we don't want to do any filtering on the controllers except Guest Portal. For each WLAN we have created a unique role and in the roles we have included the "allowall" policy which allows everything in all directions.

    aaa profiles for each WLAN were configured according to the following methodology.

    WPA-Enterprise networks:
    Initial role: logon (default, not changed)
    802.1X Authentication Default Role: the custom role created in the previous step

    WPA-Personal networks:
    Initial role: unique role created in the previous step

    After enabling the PEF feature, we experienced some strange things. On one 802.1x network, clients were assigned the newly configured role. On the other 802.1x network, the clients were given the default guest role, no change in operation there. I tried disabling and enabling the SSID, didn't helped.

    What could be the problem, what could cause such an error? Is it necessary to reboot the controllers after enabling the PEF feature?

    Software: AOS 8.6.0.11, MM-MD architecture

    Thanks!


  • 2.  RE: Configured roles not used after enabling PEF feature

    EMPLOYEE
    Posted Jul 27, 2022 11:20 AM
    Unfortunately, when you enable PEF after configuration, the default roles and acls are not added.  See how many of the default roles/acls are missing from the older default file here:  https://community.arubanetworks.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=70ca286e-f319-491e-a216-7f59d67e0b36

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Configured roles not used after enabling PEF feature

    Posted Jul 27, 2022 12:04 PM
    I checked the link You sent, I see that roles and acls in our configuration.

    (xxxxxxxxxxxx) *[mynode] #show configuration effective Site1-WC001 detail | include netservice
    netservice svc-smb-udp udp 445                                                   # inherited from [/]
    netservice vnc tcp 5900 5905                                                     # inherited from [/]
    netservice svc-noe udp 32512 ALG noe                                             # inherited from [/]
    netservice svc-cfgm-tcp tcp 8211                                                 # inherited from [/]
    netservice svc-netbios-ssn tcp 139                                               # inherited from [/]
    netservice svc-syslog udp 514                                                    # inherited from [/]
    netservice svc-citrix tcp 2598                                                   # inherited from [/]
    netservice svc-ipp-tcp tcp 631                                                   # inherited from [/]
    netservice svc-v6-icmp 58                                                        # inherited from [/]
    netservice svc-l2tp udp 1701                                                     # inherited from [/]
    netservice svc-http-proxy1 tcp 3128                                              # inherited from [/]
    netservice svc-papi udp 8211                                                     # inherited from [/]
    netservice svc-kerberos udp 88                                                   # inherited from [/]
    netservice svc-smb-tcp tcp 445                                                   # inherited from [/]
    netservice svc-vmware-rdp tcp 3389                                               # inherited from [/]
    netservice svc-v6-dhcp udp 546 547                                               # inherited from [/]
    netservice svc-sccp tcp 2000 ALG sccp                                            # inherited from [/]
    netservice svc-smtp tcp 25                                                       # inherited from [/]
    netservice svc-pptp tcp 1723                                                     # inherited from [/]
    netservice svc-ipp-udp udp 631                                                   # inherited from [/]
    netservice svc-web tcp list 80,443                                               # inherited from [/]
    netservice svc-netbios-ns udp 137                                                # inherited from [/]
    netservice svc-ike udp 500                                                       # inherited from [/]
    netservice svc-facetime-tcp tcp 5223 ALG facetime                                # inherited from [/]
    netservice svc-noe-oxo udp 5000 ALG noe                                          # inherited from [/]
    netservice svc-sip-udp udp 5060 ALG sip                                          # inherited from [/]
    netservice svc-microsoft-ds tcp 445                                              # inherited from [/]
    netservice svc-bootp udp 67 69                                                   # inherited from [/]
    netservice svc-msrpc-tcp tcp 135 139                                             # inherited from [/]
    netservice svc-ssh tcp 22                                                        # inherited from [/]
    netservice svc-dhcp udp 67 68                                                    # inherited from [/]
    netservice svc-adp udp 8200                                                      # inherited from [/]
    netservice svc-pcoip2-tcp tcp 4172                                               # inherited from [/]
    netservice svc-esp 50                                                            # inherited from [/]
    netservice svc-sips tcp 5061 ALG sips                                            # inherited from [/]
    netservice svc-lpd tcp 515                                                       # inherited from [/]
    netservice svc-h323-udp udp 1718 1719 ALG h323                                   # inherited from [/]
    netservice svc-http-proxy3 tcp 8888                                              # inherited from [/]
    netservice svc-https tcp 443                                                     # inherited from [/]
    netservice svc-netbios-dgm udp 138                                               # inherited from [/]
    netservice svc-sec-papi udp 8209                                                 # inherited from [/]
    netservice svc-pcoip-tcp tcp 50002                                               # inherited from [/]
    netservice svc-ica tcp 1494                                                      # inherited from [/]
    netservice svc-rtsp tcp 554                                                      # inherited from [/]
    netservice svc-pop3 tcp 110                                                      # inherited from [/]
    netservice svc-snmp udp 161                                                      # inherited from [/]
    netservice svc-sip-tcp tcp 5060 ALG sip                                          # inherited from [/]
    netservice svc-tftp udp 69                                                       # inherited from [/]
    netservice svc-http tcp 80                                                       # inherited from [/]
    netservice svc-telnet tcp 23                                                     # inherited from [/]
    netservice svc-pcoip2-udp udp 4172                                               # inherited from [/]
    netservice svc-ftp tcp 21                                                        # inherited from [/]
    netservice svc-http-proxy2 tcp 8080                                              # inherited from [/]
    netservice svc-msrpc-udp udp 135 139                                             # inherited from [/]
    netservice svc-ntp udp 123                                                       # inherited from [/]
    netservice svc-snmp-trap udp 162                                                 # inherited from [/]
    netservice svc-gre 47                                                            # inherited from [/]
    netservice svc-nterm tcp 1026 1028                                               # inherited from [/]
    netservice svc-vocera udp 5002 ALG vocera                                        # inherited from [/]
    netservice svc-h323-tcp tcp 1720 ALG h323                                        # inherited from [/]
    netservice svc-icmp 1                                                            # inherited from [/]
    netservice svc-natt udp 4500                                                     # inherited from [/]
    netservice svc-dns udp 53                                                        # inherited from [/]
    netservice svc-pcoip-udp udp 50002                                               # inherited from [/]
    netservice svc-svp 119                                                           # inherited from [/]
    (xxxxxxxxxxxx) *[mynode] #
    
    (xxxxxxxxxxxx) *[mynode] #show configuration effective Site1-WC001 detail | include "ip access-list"
    ip access-list eth validuserethacl                                               # inherited from [/]
    ip access-list route uplink-lb-cfg-racl                                          # inherited from [/]
    ip access-list session wificalling-block                                         # inherited from [/]
    ip access-list session v6-control                                                # inherited from [/]
    ip access-list session apprf-wlan3-auth-sacl                                     # inherited from [/md]
    ip access-list session apprf-logon-sacl                                          # inherited from [/]
    ip access-list session dns-acl                                                   # inherited from [/]
    ip access-list session svp-acl                                                   # inherited from [/]
    ip access-list session v6-http-acl                                               # inherited from [/]
    ip access-list session srcnat                                                    # inherited from [/]
    ip access-list session stateful-dot1x                                            # inherited from [/]
    ip access-list session wlan1-auth                                                # inherited from [/md/Site1]
    ip access-list session apprf-authenticated-sacl                                  # inherited from [/]
    ip access-list session voip-applications-acl                                     # inherited from [/]
    ip access-list session allow-diskservices                                        # inherited from [/]
    ip access-list session wlan3-auth                                                # inherited from [/md]
    ip access-list session apprf-sys-switch-role-sacl                                # inherited from [/]
    ip access-list session apprf-wlan6-auth-sacl                                     # inherited from [/md/Site1]
    ip access-list session apprf-ap-role-sacl                                        # inherited from [/]
    ip access-list session dhcp-acl                                                  # inherited from [/]
    ip access-list session wlan2-auth                                                # inherited from [/md]
    ip access-list session vpnlogon                                                  # inherited from [/]
    ip access-list session v6-icmp-acl                                               # inherited from [/]
    ip access-list session wificalling-acl                                           # inherited from [/]
    ip access-list session tftp-acl                                                  # inherited from [/]
    ip access-list session captiveportal                                             # inherited from [/]
    ip access-list session vmware-acl                                                # inherited from [/]
    ip access-list session apprf-default-iap-user-role-sacl                          # inherited from [/]
    ip access-list session skype4b-acl                                               # inherited from [/]
    ip access-list session ap-acl                                                    # inherited from [/]
    ip access-list session v6-allowall                                               # inherited from [/]
    ip access-list session apprf-default-via-role-sacl                               # inherited from [/]
    ip access-list session jabber-acl                                                # inherited from [/]
    ip access-list session apprf-default-vpn-role-sacl                               # inherited from [/]
    ip access-list session apprf-sys-ap-role-sacl                                    # inherited from [/]
    ip access-list session control                                                   # inherited from [/]
    ip access-list session global-sacl                                               # inherited from [/]
    ip access-list session logon-control                                             # inherited from [/]
    ip access-list session v6-dns-acl                                                # inherited from [/]
    ip access-list session ap-uplink-acl                                             # inherited from [/]
    ip access-list session apprf-guest-sacl                                          # inherited from [/]
    ip access-list session noe-acl                                                   # inherited from [/]
    ip access-list session apprf-wlan2-auth-sacl                                     # inherited from [/md]
    ip access-list session wlan6-auth                                                # inherited from [/md/Site1]
    ip access-list session v6-https-acl                                              # inherited from [/]
    ip access-list session v6-ap-acl                                                 # inherited from [/]
    ip access-list session apprf-voice-sacl                                          # inherited from [/]
    ip access-list session https-acl                                                 # inherited from [/]
    ip access-list session skinny-acl                                                # inherited from [/]
    ip access-list session wan-uplink-protect-acl                                    # inherited from [/]
    ip access-list session vocera-acl                                                # inherited from [/]
    ip access-list session http-acl                                                  # inherited from [/]
    ip access-list session apprf-wlan5-auth-sacl                                     # inherited from [/md/Site1]
    ip access-list session captiveportal6                                            # inherited from [/]
    ip access-list session allow-printservices                                       # inherited from [/]
    ip access-list session apprf-switch-logon-sacl                                   # inherited from [/]
    ip access-list session apprf-wlan1-auth-sacl                                     # inherited from [/md/Site1]
    ip access-list session apprf-stateful-dot1x-sacl                                 # inherited from [/]
    ip access-list session wlan5-auth                                                # inherited from [/md/Site1]
    ip access-list session ra-guard                                                  # inherited from [/]
    ip access-list session apprf-denyall-sacl                                        # inherited from [/]
    ip access-list session wlan4-auth                                                # inherited from [/md/Site1]
    ip access-list session citrix-acl                                                # inherited from [/]
    ip access-list session apprf-wlan4-auth-sacl                                     # inherited from [/md/Site1]
    ip access-list session allowall                                                  # inherited from [/]
    ip access-list session facetime-acl                                              # inherited from [/]
    ip access-list session validuser                                                 # inherited from [/]
    ip access-list session apprf-guest-logon-sacl                                    # inherited from [/]
    ip access-list session cplogout                                                  # inherited from [/]
    ip access-list session sip-acl                                                   # inherited from [/]
    ip access-list session v6-logon-control                                          # inherited from [/]
    ip access-list session icmp-acl                                                  # inherited from [/]
    ip access-list session v6-dhcp-acl                                               # inherited from [/]
    ip access-list session h323-acl                                                  # inherited from [/]
    (xxxxxxxxxxxx) *[mynode] #​



  • 4.  RE: Configured roles not used after enabling PEF feature

    EMPLOYEE
    Posted Jul 27, 2022 12:10 PM
    I apologize, you do need to reboot after adding the license, but do NOT write mem.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 5.  RE: Configured roles not used after enabling PEF feature

    Posted Jul 27, 2022 12:44 PM
    The licenses were added earlier, but the PEF feature is not enabled (we tried it before, but it was turned off again due to malfunction)

    The topology looks like we have two Mobility Masters and they manage 3 MD groups, Site1, Site2 and DMZ, each with two physical controllers.

    MD
    • Site1
      • Site1-WLC1
      • Site1-WLC2
    • Site2
      • Site2-WLC1
      • Site2-WLC2
    • DMZ
      • DMZ-WLC1
      • DMZ-WLC2

    The controllers on the DMZ Site do not serve any AP, they are used to deliver guest traffic through the GRE tunnels to the DMZ zone.

    Are you saying that enable the PEF licenses on Mobility Master and then need to reboot the controllers on Site1 and Site2?
    Should we reboot controllers in DMZ too really?



  • 6.  RE: Configured roles not used after enabling PEF feature

    EMPLOYEE
    Posted Jul 27, 2022 12:50 PM
    Since this is a production network, please open a technical support case with HPE so that they can guide you through what you are doing right now.  There could be things that are not in this thread that technical support would be able to guide you through without causing unnecessary outage.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------