Remember PEF lic is not mandatory but in almost all the cases it is needed as soon as you want to add a user access policy rule.
But you can configure your PSK based WLAN in tunnel mode as you wanted with no PEF lic. Just make sure your controller only has AP lic equal to the number of APs,
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Dec 30, 2024 06:38 PM
From: nashith
Subject: Wireless Access Without PEF Licenses
That's unfortunate, it should be made mandatory to begin with then. Creating a basic WLAN with allowall permission (no PEF features) is not possible without another license doesn't seem right for a WLAN Controller.
Original Message:
Sent: Dec 30, 2024 06:21 PM
From: ariyap
Subject: Wireless Access Without PEF Licenses
yes if you are using AOS8 with controllers you'll always need AP and PEGNG licenses irrespective forwarding/auth mode or type .
You can always use AOS10 AP/gateways but for that you need Aruba Central subscription.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Dec 30, 2024 05:38 PM
From: nashith
Subject: Wireless Access Without PEF Licenses
PEF license is required for Employee type WLAN with tunnelling and PSK without any captive portal also?
Original Message:
Sent: May 27, 2024 07:50 AM
From: mkk
Subject: Wireless Access Without PEF Licenses
Custom role assignment is only possible with the PEF license (far as i known that's also in the case when you change the role in the profile to authenticated). PEF is strongly recommend and the power of the Aruba product.
Note: When use captive-portal we require custom roles and therefore the PEF license is required with captive-portal use.
You can ask TAC support for assistance if your uncertain.
------------------------------
Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
Original Message:
Sent: May 24, 2024 04:26 PM
From: MJL
Subject: Wireless Access Without PEF Licenses
Hi all,
Is it possible for wireless clients to access the network using only a passphrase without PEF licenses?
I have a client that wants their guest network accessible by clicking on the SSID and entering the passphrase only. No captive portal, no RADIUS, etc. Their wireless network consists of a standalone 7010 mobility controller and 300-series access points. They only have access point (AP) licenses and do not own Policy Enforcement Firewall (PEF) or RF Protect (RFP) licenses.
For a little background, they were running ArubaOS 6.5 until a year ago when I took over and upgraded their mobility controller to version 8.6. I couldn't use a later firmware version because they still had a few 100-series APs at the time. Those have since been replaced and I'd like to upgrade their MC to version 8.12 to mitigate some recent vulnerabilities. I haven't convinced them to move to Aruba Central, so no ArubaOS 10 for them yet.
The problem I have with 8.12 is the same problem I had with 8.6 initially. Clients can connect to the wireless network and receive an IP address, but aren't allowed to access anything. This happens because the users' initial role was set to 'logon' in the virtual AP's AAA policy. I tried changing the role to 'authenticated' but received a message stating:
Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall
The 'authenticated' role is available by default, so I don't understand why it thinks it's user defined. However, I found a workaround in 8.6 by manually enable the PEF feature. This allowed me to change the initial role to 'authenticated' even though there were no PEF licenses installed. The commands I ran for that were:
change-config-node /mm
license-pool-profile-root pefng-licenses-enable
write mem
change-config-node /mm/mynode
Unfortunately, the workaround above no longer works after version 8.6. Running those commands also prevents me from signing in to the mobility controller through a browser or SSH after upgrading to 8.12.
I'm now looking into a more permanent fix; ideally one that doesn't require my client to purchase 32 PEF licenses. That'd be a hard sell, considering the guest network has worked as desired until now.
So, is there any way to configure the virtual AP or AAA policy to allow users to access the network with just a passphrase? I have a hard time believing this ability, which exists in every residential and consumer-grade wireless router, doesn't exist in an enterprise solution – without additional licenses, anyway. I feel like I'm missing something, but if they need to buy PEF licenses to stay somewhat current, then that's what they'll need to do.
And for the sake of completeness, below is how I configured their guest network on ArubaOS 8.6:
wlan ht-ssid-profile "Guest_HTSSID"
!
wlan ssid-profile "Guest_SSID"
essid "Guest"
wpa-passphrase "xxxxxxxx"
opmode wpa2-psk-aes
ht-ssid-profile "Guest_HTSSID"
a-tx-rates 12 24 36 48 54
a-basic-rates 12 24
a-beacon-rate 12
g-tx-rates 12 24 36 48 54
g-basic-rates 12 24
g-beacon-rate 12
!
aaa profile "Guest_AAA"
authentication-dot1x "default-psk"
initial-role authenticated
!
wlan virtual-ap "Guest"
ssid-profile "Guest_SSID"
aaa-profile "Guest_AAA"
vlan 30
broadcast-filter arp
forward-mode "tunnel"
allowed-band all
band-steering
vap-enable
!
ap-group "Front Office"
virtual-ap "Guest"
!
Thanks in advance for any info you can throw my way!