PEF is highly recommended and part of most Aruba controller deployments, as it allows role-based access, firwalling, Advanced QoS and visibility on the traffic.
Without PEF, any authentication would have the same access, so that is why setting the machine authenticated role requires PEF, however machine authentication should still be possible if your RADIUS server (NPS in your description) supports machine authentication. There will just not be a difference in the access (role) they will get on the network.
PEF-VIA is applicable if you deploy the VPN agent (Virtual Intranet Agent) for remote access, to assign roles for those VPN users. It's different from the PEF (PEFNG and PEF refer both to the same license, just historical name change) license and for WLAN you will need PEF licenses.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 22, 2024 04:13 PM
From: Brayton ITStaff
Subject: Confirmation of license features
We have a 7010 controller licensed for 15 APs and working well with 802.1x RADIUS passing through to NPS on our Windows domain controller. User authentication works perfectly. In configuring 802.1x authentication we see that machine authentication requires a PEF license. It seems I can buy 15 individual PEF licenses at roughly $55/each, or I can instead buy the per-controller license for "PEF VIA" which is cheaper on a per-AP basis, and would cover any additional APs if we expand.
Here's my question: What is "PEF VIA" and how does it compare to the "PEFNG" license? Feature-wise, does the controller-wide "PEF VIA" license provide the features for machine authentication (that's all we really care about), or am I forced to buy individual PEFNG seats to allow the machine auth features?
Hope this makes sense. We're new to Aruba and coming from many years of Cisco Enterprise gear, so pretty much everything is done differently on the license/feature end of things.
Thanks!