Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Confirmation of license features

This thread has been viewed 9 times
  • 1.  Confirmation of license features

    Posted Aug 23, 2024 02:42 AM

    We have a 7010 controller licensed for 15 APs and working well with 802.1x RADIUS passing through to NPS on our Windows domain controller.  User authentication works perfectly.  In configuring 802.1x authentication we see that machine authentication requires a PEF license.  It seems I can buy 15 individual PEF licenses at roughly $55/each, or I can instead buy the per-controller license for "PEF VIA" which is cheaper on a per-AP basis, and would cover any additional APs if we expand.

    Here's my question:  What is "PEF VIA" and how does it compare to the "PEFNG" license?  Feature-wise, does the controller-wide "PEF VIA" license provide the features for machine authentication (that's all we really care about), or am I forced to buy individual PEFNG seats to allow the machine auth features?

    Hope this makes sense.  We're new to Aruba and coming from many years of Cisco Enterprise gear, so pretty much everything is done differently on the license/feature end of things.

    Thanks!



  • 2.  RE: Confirmation of license features

    Posted Aug 23, 2024 02:52 AM

    PEF is highly recommended and part of most Aruba controller deployments, as it allows role-based access, firwalling, Advanced QoS and visibility on the traffic.

    Without PEF, any authentication would have the same access, so that is why setting the machine authenticated role requires PEF, however machine authentication should still be possible if your RADIUS server (NPS in your description) supports machine authentication. There will just not be a difference in the access (role) they will get on the network.

    PEF-VIA is applicable if you deploy the VPN agent (Virtual Intranet Agent) for remote access, to assign roles for those VPN users. It's different from the PEF (PEFNG and PEF refer both to the same license, just historical name change) license and for WLAN you will need PEF licenses.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Confirmation of license features

    Posted Aug 26, 2024 04:50 PM

    Thank you Herman.  Your information about PEF features is understood and appreciated.  Our particular deployment is within a small facility where all staff are granted the same physical network access already.  We handle access control other ways in other places.  Role based wireless access control is not required for us at this time, but good to know we can move that if it's ever needed.

    We did get the machine authentication working against NPS after reviewing the GPO configuration more carefully.  I had a small error in the GPO assignment that was preventing the machine authentication form working (didn't have the test laptop in the correct OU).  Thank you for confirming it was possible without the switch enabled in the WLAN config.  I can confirm the machine auth works just fine when passed along to a properly configured NPS server.  I imagine the switch for machine auth within the WLAN config would enable machine auth processing within the controller, which is not a feature we need at this time.  The AD-integrated NPS on Windows server does a good job for us processing the dot1x requests.

    Thanks again.

    Justin