Security

Reply
MVP
Posts: 517
Registered: ‎05-11-2011

ClearPass licensing explained - August-MHC

[ Edited ]

I often get questions from customers and our own organization on how ClearPass licensing works. Also – on the Aruba Airheads forums there are many questions – and answers – on the topic of ClearPass licensing. This document/post seek to summarize that.

 

Parts of the document is information collected from the Airheads forum – see the reference list at the end.

 

Please let me know if there are points I'm wrong on, or need further explanation for instance using examples/scenarios.

 

First - ClearPass Basics

Common for licensing in ClearPass Policy Manager is that it’s counted towards endpoints/devices – and not user accounts. One user may have more than one device and the most common number today is 2-3 and steadily increasing. Remember this when scaling your solution.

 

ClearPass Policy Manager (CPPM)

  • This is the basic server that authenticates up to a certain a number of devices. These comes in the package of 500, 5000 and 25.000. Once you buy a server, you do not need any additional licenses to start authenticating devices. If your goal is straight up 802.1x authenticated using AD credentials then you’re set.
  • When installed you also have access to the three Applications; Guest, OnBoard and OnGuard
  • All CPPM’s comes bundled with 25 Enterprise application licenses so you can test the functionality of the Applications as this license can be used for any of them.

New functionality in 6.4!

If you plan to use CPPM ONLY for the Guest application there is a feature you can activate called "High Capacity Guest mode". This doubles the amount of Guest user devices you can authenticate on a single server. Meaning a CP-500 can authenticate 1000 Guest devices. You will need the correct amount of Guest licenses, but this will save you the extra cost of an extra CPPM server if you need between 500-1000 devices.

 

  • Note! This disables ALL 802.1x functionality, OnBoard and OnGuard. See screenshot below taken from the CPPM WebUI

cppm-64-hcgm.jpg

 

Applications

ClearPass Guest

  • This Application adds functionality for visitor management – guest self-registration and employee lookup among some of it’s set of features.
  • Licensed through the ClearPass Guest or Enterprise license and is limited to the size of your CPPM.

News in 6.4!

Introducing the High Capacity Guest mode feature where you can have double the amount of Guest devices on a CPPM server. For your CP-500 server you can then authenticate up to 1000 devices. You will need the correct amount of Guest licenses, but this will save you the extra cost of an extra CPPM server if you are slightly above 500 devices.

 

ClearPass OnBoard

  • ClearPass Onboard offers self-provisioning and configuration of personal mobile devices enabling you to securely connect to the network in support of BYOD initiatives.
  • Licensed through the ClearPass OnBoard or Enterprise license and is limited to the size of your CPPM.

News in 6.4!

Not available if you are using High Capacity Guest Mode

 

ClearPass OnGuard

  • This application performs automated endpoint posture assessments on the supported device to ensure that compliance is met before the device is able to connect to wireless and wired networks.
  • Licensed through the ClearPass OnGuard or Enterprise license and is limited to the size of your CPPM

 

News in 6.4!

Not available if you are using High Capacity Guest Mode

 

Licensing details

ClearPass Policy Manager

You will have to activate the server license through the WebUI within 90 days of installation, but it does not expire.

 

For Support and be able to update to latest versions and patches through the WebUI you will also need an active support subscription - either ArubaCare or PartnerCare. You buy a subscription for a period of x years and it is NOT automatically renewed. Contact your Partner or Aruba contact for renewal.

 

NOTE! The system continues to work even with an expired subscription, but no more support or updates until renewal.

 

Licensing is based on the number of unique authenticating endpoints (devices) per day.

  • This is averaged across a 7 day period to take into account normal peaks and valleys to determine whether or not you are exceeding your limit.
  • If you exceed your limit you will get a warning in the WebUI
  • If it was an abnormal week, nothing will happen and that warning will disappear.
  • If you exceed your license count for 4 out of 6 months, administrator will be prevented from making any policy changes, running any usage reports or troubleshooting any connectivity issues that might arise.
  • At no point will the system stop authenticating users – even if you exceed the license limit.

CPPM Cluster

If you reach your limit on your existing system, you can add additional servers to a CPPM cluster to be able to authenticate more devices. See attached figures

 

cppm-5k-cluster.png

cppm-5k-cluster2.png

 

 

ClearPass Guest

The licenses count towards authenticated endpoints connected to a Guest user account, not the guest user account itself.

The CPPM tracks the unique MAC addresses registered on a Guest that it sees on a daily basis, but the refresh is weekly.

 

Example:

If you have one appliance and use the starter bundle (25 Enterprise licenses) all for Guest, you can authenticate 25 unique MAC addresses per day connected by Guests.

 

The system support bursting so that if you have not purchased the right level of licenses, users are not denied access. The next day you may see some of the same MAC addresses and new ones. If you stay under or at 25 authentications you have enough licensing (again bursting is supported). The problem starts when you consistently see 30/40/90 authentications per day over 3 months. Then it is time to buy the next level license bundle.

 

Cluster

Application licenses in CPPM has a centralized license model. The Guest Application license is added to the Publisher and Subscriber nodes use from this pool when authenticating.

 

ClearPass Onboard

Onboard licensing is based on the number of active and unique device certificates that have been provisioned. As the certificates expire or are revoked they will be removed from the license count.

 

Cluster

Application licenses in CPPM has a centralized license model. The Guest Application license is added to the Publisher and Subscriber nodes use from this pool when authenticating.

 

ClearPass Onguard

The same model as CPPM for devices that go through a posture/health check.

 

Example. if you have 2500 devices authenticated through 802.1x, and of these only 1000 are Company owned laptops authenticated daily. You want to do Posture assessment of these 1000 devices, so you will then need 1000 OnGuard licenses.

 

Cluster

Application licenses in CPPM has a centralized license model. The Guest Application license is added to the Publisher and Subscriber nodes use from this pool when authenticating.

 

 

Reference list:

URL

Source

Author

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-License-Usage-count-is-shown-on-CPPM/ta-p/185596

 

Airheads forum

Arunkumar

http://community.arubanetworks.com/t5/notifications/emailmessagepage/board-id/aaa-nac-guest-access-byod/message-id/4965

 

Airheads forum

tarinelli

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-Guest-Licensing-Question/m-p/88392

 

Airheads forum

SethFierMonti

 Thanks to Tim Capalli for pointing out the new features for 6.4

 Airheads forum

 capalli

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: ClearPass licensing explained - August-MHC

This is GREAT!

One thing you may want to add: (it's brand new)

 

6.4 allows oversubscription of Guest in a guest-only environment. So a CP-5K can do 10,000 guest users when the high capcity mode is enabled. (still requires 10k guest licenses)

 

high-capacity-guest.JPG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Community Administrator
Posts: 2,254
Registered: ‎12-03-2013

Re: ClearPass licensing explained - August-MHC

[ Edited ]

Nice. This is extremely helpful. Thanks

 

Also drop it in the Mobility Hero Contest page here.

CWNA, ACMP, Security +
MVP
Posts: 517
Registered: ‎05-11-2011

Re: ClearPass licensing explained - August-MHC

Edit: Updated for 6.4 information in regards of High Capacity Guest mode (Thanks Tim!)


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 517
Registered: ‎05-11-2011

Re: ClearPass licensing explained - August-MHC

Update: Added some examples

 

Btw - thanks for the kudos guys! Nice to see that this info is appreciated :)


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor I
Posts: 20
Registered: ‎05-14-2014

Re: ClearPass licensing explained - August-MHC

[ Edited ]

Hello John,

 

I noticed a contradiction of your post and the 1st link in the reference (post by Arunkumar).

 

You wrote:


jsolb wrote:

 

Licensing details

ClearPass Policy Manager

 

Licensing is based on the number of unique authenticating endpoints (devices) per day.

  • This is averaged across a 7 day period to take into account normal peaks and valleys to determine whether or not you are exceeding your limit.
  • If you exceed your limit you will get a warning in the WebUI
  • If it was an abnormal week, nothing will happen and that warning will disappear.
  • If you exceed your license count for 4 out of 6 months, administrator will be prevented from making any policy changes, running any usage reports or troubleshooting any connectivity issues that might arise.
  • At no point will the system stop authenticating users – even if you exceed the license limit.

 

Arunkumar wrote:


Arunkumar wrote:

 

Policy Manager: It’s a rolling average of unique endpoints (MAC Addresses) per week calculated over M days (where M >0 and <=30).  For example, if unique endpoints from Day1-Day8 are 500 and unique endpoints from Day2-Day9 are 600, then the Policy Manager License usage is shows as 550.

So the question is if we have CPPM-VA 500 can we authenticate 500 unique endpoints per day or 500 unique endpoints per week (don't care of rolling average for now)?

 

Thanks!

 

/ Ruske

MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: ClearPass licensing explained - August-MHC

wondering about this: "If you reach your limit on your existing system, you can add additional servers to a CPPM cluster to be able to authenticate more devices. "

 

is it just adding the extra CPPM, or do you actually have send radius requests to the extra CPPM?

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: ClearPass licensing explained - August-MHC

For hardware scaling purposes, you should send some RADIUS requests to the new server either directly or by using RADIUS load balancing.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: ClearPass licensing explained - August-MHC

sure, i can understand that. but is just adding another cppm enough to make sure you don't break you license limit?

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: ClearPass licensing explained - August-MHC

Only feature lic are shared across the cluster.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: