Chapter 4

Controller Licensing

The ArubaOS base operating system contains many features and extensive functionality for the
enterprise WLAN network. Aruba uses a licensing mechanism to enable additional features and to
enable AP capacity on controllers. By licensing functionality, organizations are able to deploy the
network and functionality in a manner that best suits their goals.

License Descriptions
 AP Capacity: AP capacity relates to how many APs, AMs, RAPs, and mesh points that serve clients
can connect to a particular mobility controller. This license covers any AP (campus, remote, and
mesh) that will broadcast a user SSID and any AMs. For mesh APs, where wireless is used for wired
traffic backhaul, the mesh links that do not broadcast an SSID are not counted against this license. If
the AP acts as a mesh node and an access point for users, the AP counts against the AP capacity
license. Controllers can be purchased with the AP capacity already installed, and it can be upgraded
later as the network grows. When planning for redundancy, the AP capacity must match the
maximum number of APs that could potentially terminate on the mobility controller.
 Policy Enforcement Firewall–Next Generation (PEF-NG): The Aruba PEF-NG module for
ArubaOS provides identity-based controls to enforce application-layer security, prioritization, traffic
forwarding, and network performance policies for wired and wireless networks. Organization use
PEF-NG to enforce network access policies that specify who may access the network, which areas
of the network they may access, and the performance thresholds of various applications.
Administrators can build a unified, integrated system for network policy enforcement by leveraging
the open APIs of PEF-NG to external services such as content security appliances, network access
control (NAC) policy engines, performance monitors, and authentication/authorization servers.
PEF-NG is licensed by AP count, and the number of licensed APs must be equal to the AP capacity
license of the mobility controller. To enable PEF-NG on wired-only gateways, a single AP PEF-NG
license is required.
 Policy Enforcement Firewall–VPN (PEFV): The PEFV license provides the same features and
functionality that PEF-NG does, but it is applied to users coming in over VPN connections as
opposed to wireless users. The user role and policy are enforced on the mobility controller and thus
only affects centralized traffic. Without this license, users of VPN software, either the Aruba VIA
client or any third-party software, will be given what essentially amounts to an “allow all” role that
cannot be modified. The PEF-VPN license is purchased as a single license that enables the
functionality up to the full user capacity of the mobility controller.
 Wireless Intrusion Protection (WIP): The Aruba WIP module protects the network against
wireless threats to network security by incorporating WIP into the network infrastructure and
eliminating the need for a separate overlay system of RF sensors and security appliances. The WIP
module is integrated into the WLAN system, so it provides unmatched wireless network visibility
and simplicity of operation for network administrators, and thwarts malicious wireless attacks,
impersonations, and unauthorized intrusions. Clients and APs are already a part of the system, so no
valid AP or user list must be maintained, because the network already knows which users and
devices belong there. Additionally, many of the traditional features and attacks that are reported by
traditional WIDS vendors are unnecessary due to the WIP integration with the WLAN itself. WIP is
licensed by AP count, and the number of licensed APs must be equal to the AP capacity license of
the mobility controller.

Aruba Mobility Controllers and Deployment Models VRD | Solution Guide Controller Licensing | 35
  Content Security Service (CSS): Aruba CSS provides cloud-based security for branch offices and
teleworkers. CSS seamlessly integrates with the RAP and BOC product families to provide high-
throughput, low-latency content security with centralized reporting and management. CSS leverages
data centers around the world and provides complete protection including advanced URL filtering,
P2P control, anti-virus/anti-malware, botnet detection, and data loss prevention. High-speed web
logs in CSS provide a flexible and powerful way to view broad trends and per-user drill-downs of
Internet activity. CSS licensing is based on three components: total user count, feature bundles, and
contract length (1 or 3 years). The CSS licenses are installed on the cloud-based service platform.
 xSec (XSC): xSec is a highly secure data link layer (Layer 2) protocol that provides a unified
framework for securing all wired and wireless connections using strong encryption and
authentication. xSec provides a Federal Information Processing Standard (FIPS)-compliant
mechanism to provide identity-based security to government agencies and commercial entities that
need to transmit extremely sensitive information over wireless networks. xSec provides greater
security than other Layer 2 encryption technologies through the use of longer keys, FIPS–validated
encryption algorithms (AES-CBC-256 with HMAC-SHA1), and the encryption of Layer 2 header
information that includes MAC addresses. xSec was jointly developed by Aruba and Funk
Software®, which is a division of Juniper Networks®. xSec is licensed on a per-user basis.

Understanding the Functionality of PEF-NG and PEFV

The functionality contained in the two different firewall licenses can be confusing. The following table
highlights the features that are enabled by each of the firewall licenses as they are installed, and how
they interact with one another.

Table 5 PEF-NG and PEFV Comparison Chart

Wired/
PEF-NG PEFV Wireless VIA/VPN Controller Port
Third-Party
License License Users Users ACLs
AP Users

Installed Not Installed Yes No Yes Yes

Installed Installed Yes Yes Yes Yes

Not Installed Installed No Yes No Yes

Not Installed Not Installed No No No Only MAC, EtherType,

and Extended ACLs
are supported

Licensing Requirements and Recommendations

Different license capacities are required for cloud services and on each mode of mobility controller,
depending on its operational requirements. Each license type should be reviewed to determine if the
features and functionality meet the goals of the organization, and from there the feature licensing levels
can be determined. For complete descriptions of the features enabled by these licenses, visit the Aruba
website at http://www.arubanetworks.com/.

Matching AP-Based Licenses

AP-based licenses should always have the same AP count when in use. Licenses that are required for
backup mobility controllers must be included in this count. These licenses are AP capacity, PEF-NG,
and WIP. If the mobility controller is licensed for more than one of these functions, the licensing rule is:

AP capacity = PEF-NG = WIP

36 | Controller Licensing Aruba Mobility Controllers and Deployment Models VRD | Solution Guide
 As an example, if 64 AP capacity license was purchased and the organization wants to deploy PEF-NG
and WIP, those licenses should be purchased to match the 64 AP capacity. The final license count
would be 64 AP capacity, 64 PEF-NG, and 64 WIP.

Master Mobility Controller Licensing Requirements

The master mobility controller must manage the functionality for all other platforms, so the master
must have the same license types as the local mobility controllers. Licensing unlocks configuration
capabilities on the system. However, the master will not terminate APs or devices, so the master can be
licensed at a much lower level than the local mobility controller where APs, AMs, and devices will be
serviced.
The recommended licensing levels for masters that do not terminate users are listed in the following
table. Note that only the functionality that is being enabled needs to be licensed. As an example, xSec is
primarily only deployed in Federal Government and military installations, and it is not required unless it
will be in use at the organization.

Table 6 Master Mobility Controller Minimum Licensing Levels

License Capacity

AP Capacity 0

PEF-NG 1

PEFV 1

WIP 1

CSS N/A

xSec 1

Local Mobility Controller Licensing Requirements

Local controllers must be licensed according to the number of devices or users that consume licenses.
The license consumption table that follows describes how the different licenses are consumed on local
mobility controllers that terminate user sessions and APs.
Mobility controllers should be licensed at the maximum expected capacity for that mobility controller.
For instance, in a failover scenario the backup controller must be licensed to accept all the APs that it
could potentially end up hosting if a failure occurs, even if that is not the normal operating level.
As an example, a pair of Aruba 3600 Series Mobility Controllers is operating as local mobility
controllers. Each terminates a 40% load of APs, but acts as the backup for the APs on the other
controller. Each mobility controller must be licensed to 80% of maximum capacity. If one mobility
controller fails, the other must be able to add the additional APs from the failed controller. Therefore,
the mobility controllers must be licensed up to the maximum capacity.

Table 7 Local Mobility Controller Licensing Levels

License Capacity

AP Capacity Any AP (campus, mesh, or remote) broadcasting an SSID, or any active AM. Mesh
APs that do not broadcast an SSID (such as a point-to-point bridge) do not count
against this limit.

PEF-NG Any active AP (campus, mesh, or remote) or AM, this license must be equal to the
AP capacity of the network.

Aruba Mobility Controllers and Deployment Models VRD | Solution Guide Controller Licensing | 37
 Table 7 Local Mobility Controller Licensing Levels (Continued)

License Capacity

PEFV PEF-VPN is licensed by box capacity, so licenses are not consumed by individual
sessions. Instead, after the license is installed, all sessions up to the box limit will
have a firewall policy applied to them.

CSS Users in the organization that have signed into the CSS service.

xSec User sessions using xSec.

38 | Controller Licensing Aruba Mobility Controllers and Deployment Models VRD | Solution Guide