Security

Hi all,

 

do we have any possibility with the new ClearPass Licensing model to assign licenses for certain authentications?

Use case: A customer had 100 Guest licenses and a 500-VA-appliance. This was migrated to 600 Access licenses. From time to time, the customer has more than 200 guests in the network but needs 400 licenses for the internal authentications.

Any possibility to cut guests after a defined threshold to avoid failing internal authentications?

Anything planned in this direction?

 

Thanks

Michael

There are no hard caps for Guest or authentications. Also, in ClearPass 6.7, the guest license is gone.

Hi Michael,

 

You could look at limiting it on the Guest SSID.

 

On a Aruba Controller you can set the 'Max Associations' (default is 64).

On a Aruba Instant you can set the 'Max Client threshold' (default is 64)

These are the max clients on the SSID. Note: An Aruba AP can support up to max 255 clients per Radio.

 

Hope this helps.

 

 

The max stations does not solve the issue as it is on an AP basis and not on the authetnication (guests) in the overall SSID.

How can we take this as an PER?

 

I just need to ensure that all internal stations will be authenticated while guests may be rejected if the concurrent license limit is reached.

Please post a request for enhancement here: https://innovate.arubanetworks.com/portal_session/new

 

There is not currently a way to do what you want to do.

You do NOT need to do this. ClearPass does not have a hard license cap.

What happens after the license count is reached in R6.7?

In both 6.6 and 6.7, there are no hard caps. You will receive administrative warnings that the license has exceeded but authentication will always continue. Also keep in mind that in 6.7, there is no difference between a guest and regular user.

Hi Michael,

 

For 6.7, guest license gone and license user is in pool. Clearpass will count in concurrent and release when it out.

For this, I think you can receive the maximum is 525 access and you must buy 100 access to cover the requirement.

Hi

The customer will get more then 525!

He has an CP-VA500, so that will become 525 AL
Then he has 100 guest, that will become 100 AL

So 625 AL in total, if I am correct.

Hi Frank,

 

Correct, after converted to New License (NL). Access license will be 525 and Guest license will convert to Access license.

 

For example,CP-VA-500 and 100 Guest license convert to NL.

Access license 500 + 25 = 525.

Guest license 100 change to Access license 100

The result is 525 + 100 = 625 of Access license.

 

 

How is it planned to be handled? In this case I could order 50 licenses and make 100s of authentications if it is not limited.

Hi,

 

FYI The new licenses are in amounts of 100.

 

Yes you could have more authentication then licences in the system. But you will get messages about this and off course you might run into issues when you need support from TAC.

There will probably be an statement about this in the EULA.