Wireless Access

Occasional Contributor II

Need to change default role for IAP



I am trying to change the default role that IAPs are getting because i need to src-nat my RADIUS requests.  I have found many articles that explain how to do this but the options dont exist.


I am connecting the IAP to a 7210 controller running


I am following this guide:



On page 135, figure 59 - It shows how to change the default role for the default-iap profile.  This is not an option in my controller.



Here is another guide that shows how to do what i need to do:



At the end under "VPN Profile Configuration", the commands are not working for me and "default-role" is not an option:

(Master-Pref) (config) #aaa authentication vpn default-iap

(Master-Pref) (VPN Authentication Profile "default-iap") #default-role iap-role
% Invalid input detected at '^' marker.

(Master-Pref) (VPN Authentication Profile "default-iap") #?
cert-cn-lookup          Check certificate common name against AAA server.
                        Default is enabled.
clone                   Copy data from another VPN Authentication Profile
export-route            Whether to export server-returned VPN ip address as
                        a route to external world.  Default is enabled.
max-authentication-fa.. Maximum auth failures before user is blacklisted.
                        Range: 1-10. Default: 0.
no                      Delete Command
pan-integration         Require IP mapping at Palo Alto Networks firewalls
radius-accounting       Configure server group for radius accounting
server-group            Name of server group
user-idle-timeout       User idle timeout value. Valid range is 30-15300
                        seconds in multiples of 30 seconds



MVP Guru

Re: Need to change default role for IAP

Do you have the PEFV license installed on your controller?


If you want to firewall (or NAT) VPN traffic, you will need the PEFV (Policy Enforcement Firewall for VPN) license to be active.

If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: Need to change default role for IAP

Thank you for the response.


I didnt know there was a seprate PEF license for VPN users and we dont have that one on our controllers.

Search Airheads
Showing results for 
Search instead for 
Did you mean: