Wireless Access

 View Only
  • 1.  Wireless Access Without PEF Licenses

    Posted May 25, 2024 06:41 AM

    Hi all, 

    Is it possible for wireless clients to access the network using only a passphrase without PEF licenses? 

    I have a client that wants their guest network accessible by clicking on the SSID and entering the passphrase only.  No captive portal, no RADIUS, etc.  Their wireless network consists of a standalone 7010 mobility controller and 300-series access points.  They only have access point (AP) licenses and do not own Policy Enforcement Firewall (PEF) or RF Protect (RFP) licenses. 

    For a little background, they were running ArubaOS 6.5 until a year ago when I took over and upgraded their mobility controller to version 8.6.  I couldn't use a later firmware version because they still had a few 100-series APs at the time.  Those have since been replaced and I'd like to upgrade their MC to version 8.12 to mitigate some recent vulnerabilities.  I haven't convinced them to move to Aruba Central, so no ArubaOS 10 for them yet.  

    The problem I have with 8.12 is the same problem I had with 8.6 initially.  Clients can connect to the wireless network and receive an IP address, but aren't allowed to access anything.  This happens because the users' initial role was set to 'logon' in the virtual AP's AAA policy.  I tried changing the role to 'authenticated' but received a message stating: 

    Error: Role 'authenticated' is user defined, and can't be applied without Next Generation Policy Enforcement Firewall

    The 'authenticated' role is available by default, so I don't understand why it thinks it's user defined.  However, I found a workaround in 8.6 by manually enable the PEF feature.  This allowed me to change the initial role to 'authenticated' even though there were no PEF licenses installed.  The commands I ran for that were: 

    change-config-node /mm

    license-pool-profile-root pefng-licenses-enable

    write mem

    change-config-node /mm/mynode

    Unfortunately, the workaround above no longer works after version 8.6.  Running those commands also prevents me from signing in to the mobility controller through a browser or SSH after upgrading to 8.12.  

    I'm now looking into a more permanent fix; ideally one that doesn't require my client to purchase 32 PEF licenses.  That'd be a hard sell, considering the guest network has worked as desired until now. 

    So, is there any way to configure the virtual AP or AAA policy to allow users to access the network with just a passphrase?  I have a hard time believing this ability, which exists in every residential and consumer-grade wireless router, doesn't exist in an enterprise solution – without additional licenses, anyway.  I feel like I'm missing something, but if they need to buy PEF licenses to stay somewhat current, then that's what they'll need to do.  

    And for the sake of completeness, below is how I configured their guest network on ArubaOS 8.6: 

    wlan ht-ssid-profile "Guest_HTSSID"

        !

    wlan ssid-profile "Guest_SSID"

        essid "Guest"

        wpa-passphrase "xxxxxxxx"

        opmode wpa2-psk-aes

        ht-ssid-profile "Guest_HTSSID"

        a-tx-rates 12 24 36 48 54

        a-basic-rates 12 24

        a-beacon-rate 12

        g-tx-rates 12 24 36 48 54

        g-basic-rates 12 24

        g-beacon-rate 12

        !

    aaa profile "Guest_AAA"

        authentication-dot1x "default-psk"

        initial-role authenticated

        !

    wlan virtual-ap "Guest"

        ssid-profile "Guest_SSID"

        aaa-profile "Guest_AAA"

        vlan 30

        broadcast-filter arp

        forward-mode "tunnel"

        allowed-band all

        band-steering

        vap-enable

        !

    ap-group "Front Office"

        virtual-ap "Guest"

        !

    Thanks in advance for any info you can throw my way! 



  • 2.  RE: Wireless Access Without PEF Licenses
    Best Answer

    Posted May 27, 2024 07:51 AM
    Edited by MJL May 27, 2024 02:37 PM

    Custom role assignment is only possible with the PEF license (far as i known that's also in the case when you change the role in the profile to authenticated). PEF is strongly recommend and the power of the Aruba product.

    Note: When use captive-portal we require custom roles and therefore the PEF license is required with captive-portal use.

    You can ask TAC support for assistance if your uncertain.

    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 3.  RE: Wireless Access Without PEF Licenses

    Posted May 27, 2024 02:45 PM

    Thank you for confirming Marcel.  Since my client will need to buy additonal licenses anyway, this may be a good time to move them to ArubaOS 10 and get everything managed by Aruba Central.  I'll price out both and see what they say.  Thanks again!  




  • 4.  RE: Wireless Access Without PEF Licenses

    Posted 14 days ago

    PEF license is required for Employee type WLAN with tunnelling and PSK without any captive portal also?




  • 5.  RE: Wireless Access Without PEF Licenses

    Posted 14 days ago

    yes if you are using AOS8 with controllers you'll always need AP and PEGNG licenses irrespective forwarding/auth mode or type .

    You can always use AOS10 AP/gateways but for that you need Aruba Central subscription.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 6.  RE: Wireless Access Without PEF Licenses

    Posted 14 days ago

    That's unfortunate, it should be made mandatory to begin with then. Creating a basic WLAN with allowall permission (no PEF features) is not possible without another license doesn't seem right for a WLAN Controller.




  • 7.  RE: Wireless Access Without PEF Licenses

    Posted 14 days ago

    Remember PEF lic is not mandatory but in almost all the cases it is needed as soon as you want to add a user access policy rule.

    But you can configure your PSK based WLAN in tunnel mode as you wanted with no PEF lic. Just make sure your controller only has AP lic equal to the number of APs,



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------