Security

Reply
Regular Contributor II
Posts: 232
Registered: ‎09-11-2013

ClearPass cluster question

Hi Forum,

 

I'm sure this has been asked 100 times before but I can't seem to find a definitive answer.

 

I have 3 clearpass nodes, 1 publisher and 2 subscribers (one in every site). on every box in the cluster it shows that my policy manager license is 1500 (500*3 nodes).

 

what I want to know is what would happen if one site clearpass is handling more than 500, say 700? would it function normally and use the clustered policy manager license, or would it complain because I have CP-500 but I'm sending 700 auth requests on a 7 days average?

 

 

 

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: ClearPass cluster question

If you continuously (during 4 month in a period of the last 6 months) exceed the Policy Manager license it will locked you out of the UI until additional licenses are added

A couple of options:

- You either need to load balance the RADIUS request across the other nodes

- Purchase another 500 for that site
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor II
Posts: 232
Registered: ‎09-11-2013

Re: ClearPass cluster question

Thank you Victor.

I totaly understand your point but this not what I'm asking(sorry for not being super clear).

 

Would a CP-500 lock me out if I send 700 to it? even if it says that I have 1500 policy manager license(clustered).

Regular Contributor II
Posts: 232
Registered: ‎09-11-2013

Re: ClearPass cluster question

[ Edited ]

I should add. the reason I ask this question is that I have seen a cluster of clearpass 2x CP-500 with the error message on one box:

"System has exceeded recommended capacity. Unique authentication count-1079. recommended unique authentication-1000"

 

Another question would be:

can CP-500 handle 1500 unique radius requests(for 7 days average) if the license is available in the cluster? and if does, can it handle 3000 unique auth requests?

Regular Contributor II
Posts: 232
Registered: ‎09-11-2013

Re: ClearPass cluster question

So here is an answer that I figured out myself, in case someone stumbles upon this question in the future.

A CP-500 hundred can handle more than the 500 unique MAC addresses only if you have the license. Meaning if you have 3 CP-500 and the Policy manager total cluster license is 1500, then that one CP-500 can and will be able to handle 1500 unique requests. You have to keep in mind the resource limitation of the CP-500(RAM, Processor, HD).

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: ClearPass cluster question

This is not true...... CPPM core lic is the capacity of the cppm box. Even though CPPM can handle more than what its designed for you will still be in Lic violation if you run over capacity of a single box.

The only lic that are shared across a cluster is the feature lic. Onboard, Onguard, Guest.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor II
Posts: 232
Registered: ‎09-11-2013

Re: ClearPass cluster question

I respectfully disagree with you.

There is no violation of any kind(strong word to use though). If your cluster has 3xcp-500, a single box can handle all of that. you will run into the issue of over utilizing the box resources. IF and only IF you go up to 1501 unique auth request on one any box in the cluster, then you will get the error I mentioned above.

And if this is truly a "Violation", I suggest you take it up to the product managers and have them take out the pooling of the policy manager license when you cluster cppm. This will guarantee that one box can only do what it was build for.

 

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: ClearPass cluster question

The number you see is the total capacity of the cluster. It was put there so when you look at the publisher you know what the total capacity is not what a single appliance can handle. 

 

If you violate the lic capacity of the box 4 consecutively months then you will get a admin lock out. That has been the design since before and after the two products merged and when I started working for Aruba as a ClearPass specialist. 

 

We can chat about this offline if you would like.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor II
Posts: 232
Registered: ‎09-11-2013

Re: ClearPass cluster question

Thanks Troy I will reach out offline.

Regular Contributor II
Posts: 232
Registered: ‎09-11-2013

Re: ClearPass cluster question

Hi Troy,

 

I have written to you privately but have not heard back yet. Helpfully you can get to me with the information needed. You and I had an initial discussion on the messages but would like to get to the bottom of this as it is affecting some of our customers.

 

Thanks,

Search Airheads
Showing results for 
Search instead for 
Did you mean: