Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Design for More than 25K Endpoints

This thread has been viewed 0 times

  • 1.  Clearpass Design for More than 25K Endpoints

    Posted Feb 21, 2016 10:59 AM

    Hi,

     

    If we want to size a cluster that has more than 25K endpoints, should we split them into multiple cluster with maximum size of 25K endpoints, or can we put all of them into single cluster with multiple 25K appliance as subscribers ?

     

    Thanks.



  • 2.  RE: Clearpass Design for More than 25K Endpoints

    Posted Feb 21, 2016 12:48 PM

    based upon the fact you likely want to manage the CPPM deployment as a single entity clustering together multiple CPPM-nodes is likely your best solution. I can't envisage why you'd want to deploy multiple CPPM nodes and not cluster them.

     

    Take a look at my CPPM Clustering TechNote for info about CPPM Clustering. FInd it here....CPPM TechNote - Clustering Design Guidelines V1



  • 3.  RE: Clearpass Design for More than 25K Endpoints

    Posted Feb 22, 2016 10:59 AM

    Hi Danny,

     

    Thanks. My concern is related to 2 areas :

    1. Can a CP-HW-25K works as a publisher in a campus with 50K endpoints ? In this setup, I will propose 4xCP-HW-25K (1 PUB, 3 SUB for redundancy). I will have all authentication handled by subscribers and will not fail over the authentication to PUB at all. Is this feasible design ?
    2. Licensing. Understand that OnGuard licensing is limited to the size of your CPPM. http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-licensing-explained-August-MHC/td-p/195719. If customer purchase 35K OnGuard license, can we load them all into the CP-HW-25K appliance ?

    Appreciate your advise. Thanks.

     



  • 4.  RE: Clearpass Design for More than 25K Endpoints

    Posted Feb 22, 2016 08:55 PM

    Your design is fine, but likely a costly design..... if you have 50K endpoints then 3 x 25K-CPPM is also OK... but as always corner-cases exist and you need to examine in detail the solution. If you tell me that the 50K devies connect of a short 30-minute window as this is a public venue then maybe its not the right solution.... if they are connecting in a 'typical' enterprise office over a few hours  then your likely good..... but more details are needed..... I'd suggest leasing's with a ClearPass Specialist/Partner/Aruba-SE to get guidance.... it typically more than we can discuss over email on a forum.

     

     

    For your second Q - Yes..... in a cluster you add ALL license on the PUB and the licenses are then available across the cluster.

     

    HTH.