Wireless Access

 View Only
last person joined: 5 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Wireless Access Without PEF Licenses

This thread has been viewed 19 times
  • 1.  Wireless Access Without PEF Licenses

    Posted May 25, 2024 06:41 AM

    Hi all, 

    Is it possible for wireless clients to access the network using only a passphrase without PEF licenses? 

    I have a client that wants their guest network accessible by clicking on the SSID and entering the passphrase only.  No captive portal, no RADIUS, etc.  Their wireless network consists of a standalone 7010 mobility controller and 300-series access points.  They only have access point (AP) licenses and do not own Policy Enforcement Firewall (PEF) or RF Protect (RFP) licenses. 

    For a little background, they were running ArubaOS 6.5 until a year ago when I took over and upgraded their mobility controller to version 8.6.  I couldn't use a later firmware version because they still had a few 100-series APs at the time.  Those have since been replaced and I'd like to upgrade their MC to version 8.12 to mitigate some recent vulnerabilities.  I haven't convinced them to move to Aruba Central, so no ArubaOS 10 for them yet.  

    The problem I have with 8.12 is the same problem I had with 8.6 initially.  Clients can connect to the wireless network and receive an IP address, but aren't allowed to access anything.  This happens because the users' initial role was set to 'logon' in the virtual AP's AAA policy.  I tried changing the role to 'authenticated' but received a message stating: 

    Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

    The 'authenticated' role is available by default, so I don't understand why it thinks it's user defined.  However, I found a workaround in 8.6 by manually enable the PEF feature.  This allowed me to change the initial role to 'authenticated' even though there were no PEF licenses installed.  The commands I ran for that were: 

    change-config-node /mm

    license-pool-profile-root pefng-licenses-enable

    write mem

    change-config-node /mm/mynode

    Unfortunately, the workaround above no longer works after version 8.6.  Running those commands also prevents me from signing in to the mobility controller through a browser or SSH after upgrading to 8.12.  

    I'm now looking into a more permanent fix; ideally one that doesn't require my client to purchase 32 PEF licenses.  That'd be a hard sell, considering the guest network has worked as desired until now. 

    So, is there any way to configure the virtual AP or AAA policy to allow users to access the network with just a passphrase?  I have a hard time believing this ability, which exists in every residential and consumer-grade wireless router, doesn't exist in an enterprise solution – without additional licenses, anyway.  I feel like I'm missing something, but if they need to buy PEF licenses to stay somewhat current, then that's what they'll need to do.  

    And for the sake of completeness, below is how I configured their guest network on ArubaOS 8.6: 

    wlan ht-ssid-profile "Guest_HTSSID"


    wlan ssid-profile "Guest_SSID"

        essid "Guest"

        wpa-passphrase "xxxxxxxx"

        opmode wpa2-psk-aes

        ht-ssid-profile "Guest_HTSSID"

        a-tx-rates 12 24 36 48 54

        a-basic-rates 12 24

        a-beacon-rate 12

        g-tx-rates 12 24 36 48 54

        g-basic-rates 12 24

        g-beacon-rate 12


    aaa profile "Guest_AAA"

        authentication-dot1x "default-psk"

        initial-role authenticated


    wlan virtual-ap "Guest"

        ssid-profile "Guest_SSID"

        aaa-profile "Guest_AAA"

        vlan 30

        broadcast-filter arp

        forward-mode "tunnel"

        allowed-band all




    ap-group "Front Office"

        virtual-ap "Guest"


    Thanks in advance for any info you can throw my way! 

  • 2.  RE: Wireless Access Without PEF Licenses
    Best Answer

    Posted May 27, 2024 07:51 AM

    Custom role assignment is only possible with the PEF license (far as i known that's also in the case when you change the role in the profile to authenticated). PEF is strongly recommend and the power of the Aruba product.

    Note: When use captive-portal we require custom roles and therefore the PEF license is required with captive-portal use.

    You can ask TAC support for assistance if your uncertain.

    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

  • 3.  RE: Wireless Access Without PEF Licenses

    Posted May 27, 2024 02:45 PM

    Thank you for confirming Marcel.  Since my client will need to buy additonal licenses anyway, this may be a good time to move them to ArubaOS 10 and get everything managed by Aruba Central.  I'll price out both and see what they say.  Thanks again!