12-17-2015 08:10 AM
I am working on setting up a captive portal solution using ClearPass to provide a number of services. Among the things I am trying to accomplish are:
1) Allow single click captive portal for basic access
2) Allow captive portal login for users with AD accounts.
3) Allow special guests the ability to self-register with sponsorship
I have all three of these working already, however my concern is about licensing. The anonymous login option in ClearPass defaults to using a Guest User account. My understanding of ClearPass licensing is that this consumes a Guest license for each unique MAC address using this login per-day. We have enough Guest licenses to cover the limited self-registration but not enough to cover a horde of anonymous visitors. Thus my questions are:
1) Will each anonymous visitor indeed consume a guest license?
2) Is there any way to change the authentication source for this single anonymous account to, say the local user repository, so that it does not consumer Guest licenses?
12-21-2015 01:27 PM
In the web login page configuration for anonymous logins, there is only 1 guest license that is consumed as you are prompted to create a local guest user to use for authentication on the T&C page. The amount of MAC addresses per day would have to be sized and matched against an appropriate ClearPass policy manager appliance but you should be able to scale this up without additional guest licenses being consumed.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
12-23-2015 06:38 AM
Hmm, ClearPass licensing has always been rather confusing. You seem to be saying that Guest license consumption is based on the Guest user account and NOT on the unique MAC addresses authenticating as a Guest. That appears to contradict this forum post:
Which explains Guest licensing thusly:
ClearPass Guest The licenses count towards authenticated endpoints connected to a Guest user account, not the guest user account itself. The CPPM tracks the unique MAC addresses registered on a Guest that it sees on a daily basis, but the refresh is weekly. Example: If you have one appliance and use the starter bundle (25 Enterprise licenses) all for Guest, you can authenticate 25 unique MAC addresses per day connected by Guests.
I would be very happy if you are correct and all 5000+ devices authenticating per day using the Anonymous guest user account will only consume a single Guest license (obviously they would still consume 5000+ Policy Manager licenses). Can you or someone else at Aruba confirm this?