PEF license should ONLY be applied during a maintenence window, because it requires a reboot. The only exception is if you already have the PEF license applied and you are just adding PEF licenses.
To do it properly you need to:
- backup flash (just in case things don't go well)
- add PEF license
- DO NOT "write mem" or save configuration
- Reboot controller so that default roles and ACLs are properly applied
- ***If you write mem after PEF license is added, but before controller is rebooted, the default ACLS and roles will not be added to the configuration and unpredictable things will happen.****
After reboot, you need to inspect your configuration and do test authentications to make sure things work properly.