Wireless Access

Hello all.  I have a couple of  weird questions about PEFNG and some issues I have ran into.

 

First of all, right now I do not have the PEFNG license installed on our 3200 controller.  After we upgraded to Aruba OS 5, we had issues with DHCP not working correctly to our tunneled access points, so we ditched PEFNG.  We are now running 6.2.13 I believe.  Anyway, I am needing to throttle a certain SSID, but from what I have seen you can't do it without the PEFNG license installed.  So, I installed it the other night, DHCP worked fine, but now I get a web page that pops up that there was an authentication error and you cannot continue.  This happens on any device I try to connect to them.  We are not using any type of authentication, only the SSID passwords.  Any ideas?

Do you have a captive portal configured for this SSID?

What ACLs are in your user role?

Where would I check to see if an SSID has captive portal turned on?  Even though we have had this Aruba system a few years, I still am not sure where some things are, and using SSH is even worse since I am not sure on commands.

What type of authentication are you using on the SSID?

 

What is your initial role in the AAA profile?

I think the role is above in the jpeg I attached.  Right now all three SSID's are open with no password.  But I am wanting to add a password to our main one, but throttle our open SSID.

When you come from a non-PEFNG install to one that has PEFNG installed, you change the nature of roles and access policies.   The role that was in place before was probably sufficient for your use, but now that you have PEFNG installed, it is likely trying to redirect you to a Captive Portal page.

 

For example, the initial role of a AAA profile without PEFNG is "logon".   This role when PEFNG installed is configured for Captive Portal.

 

Run show user to see what role the users are in

Run show rights <name-of-role> to see what policies are applied to the user now

 

If you want to allow the users full access (may be recommended until you determine how you want to use the roles/policies):

 

config t

aaa profile <name-of-AAA-profile>

initial-role authenticated

wr memory

 

 

 

So, you are saying that where it says initial role logon here will change to captive portal when I install the PEFNG license?

The AAA profile you showed has logon as the initial role.  You mentioned on PSK authentication, so this is the role the users are likely getting assigned.  This logon role has captiveportal policies assigned, but typically does not have a default captive portal profile assigned.    The role itself will not change to "captive portal".    If you don't want any of this behavior, change your default role:

 

config t

aaa profile Greenbush-aaa-prof

initial-role authenticated

 

By the way, was that screenshot before the PEFNG loaded?   If that is how it looks now, have you rebooted since you installed the PEFNG license?

That screenshot is now, but I have uninstalled the license again so clients could connect.

OK.    After reapplying the license and rebooting, you can change the initial-role to something like "authenticated" which will give the users full access.   You can then work on setting up a new role to assign to the specific network with bandwidth restrictions as necessary.

 

---

clembo wrote:

 

config t

aaa profile Greenbush-aaa-prof

initial-role authenticated

Thanks.  I will try that tonight.

 

By the way, what is the command you type in SSH to actually make changes?  I log in but it gives me an error about a ^ symbol.

The commands I referenced above should work; but they will not work until PEFNG is loaded.

 

 

Thanks guys.  I was able to get it working.  I had to delete the captive portal user role, and now things are working ok.  The next question though I have is when I go into the AAA area of the Virtual AP, I can't change the initial login role.  It's greyed out and stuck on logon for the role.

You may see this if you are editing within the VAP.   Edit the AAA profile directly under Authenticiation or All Profiles; not within the Virtual AP.

 

The roles will be greyed out for other reasons:

 

1) You are editing on a local controller; these configuration changes can only be made on the master

2) You do not have the PEFNG license loaded.   Verify the license is active through "show license" and verify there is a Next Generation Policy Enforcement Firewall Module loaded with "E" for enabled in the flags.  Make sure there is not an "R" for reboot.

 

Thanks. I was able to change it under the authentication area.