Security

Reply
Super Contributor I

Clearpass Guest Sizing

I was told in my C;earpass bootcamp that if I am going to have 100 unique guest clients per day (inlcuding Sat and Sun), I would need to provision for 700 Clearpass Policy Manager License which mean s I will need either 2 X CPPM 500 or 1 X CPPM 5k. Please advise if this is the ocrrect way to size.

 

Gordon

Normal Guy
Aruba

Re: Clearpass Guest Sizing

No, that is incorrect.   Guest is licensed as the number of devices that authenticate per day (a guest being an authentication against the local db).   The number is averaged out over 7 days. 

 

In your scenario, 100 guest licenses and a CP-VA-500 would suffice.

 

Also, your CP-VA-500 will also have 25 enterprise licenses for use with guest, onboard, or onguard.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Super Contributor I

Re: Clearpass Guest Sizing

Hi Clembo thanks for your clarification as that is what i use to know but now in the bootcamp the training materials gives a different perspective. :smileyfrustrated:

Normal Guy
MVP

Re: Clearpass Guest Sizing

Clembo pretty much summed it up, but I'll add my notes on licensing gathered on the board for further details.

Clearpass Policy Manager

• Licenses based on the number of unique authenticating endpoints (devices) per day
• This is averaged across a 7 day period to take into account normal peaks and valleys to determine whether or not you are exceeding your limit.
• If you exceed your limit you will get a warning in the WebUI
• If it was an abnormal week, nothing will happen and that warning will disappear.
• If you exceed your license count for 4 out of 6 months, you will be locked out of the WebUI until you resolve the issue
• At no point will we disable the system from authenticating users if you exceed the license limit.

Pasted from <http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Clearpass-Guest-Queries/m-p/39894/highlight/true#M605>


Yes...we enact the 7 day moving average to take care of inevitable peaks and valleys in usage of the system.  In the event that you exceed the 25 limit for a trailing 7 days, the system will do the following:
 
Each month a licensing management feature within ClearPass monitors the 7-day rolling average as described and if capacity is exceeded, then the current month is flagged as “out of policy”.
 
 
This will trigger a warning message to the administrator that is displayed on the ClearPass Policy Manager dashboard.
 
If authentications of guests’ devices continue to exceed 25 devices for 4 months out of a 6 month period the next step is to go beyond the warning message described above and actually lock the administrator out of the Policy Manager GUI.
 
While users will continue to be authenticated, exceeding the warnings will prevent the administrator from making any policy changes, running any usage reports or troubleshooting any connectivity issues that might arise. 

From <http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-Guest-Licensing-Question/m-p/88392/highlight/true#M6175>

Clearpass Guest

Guest is special, the MAC addresses refresh per day. You end up with a weekly view so that you can see a daily average though.  We understand that in guest environments users come and go on a much quicker basis than in the enterprise itself.
 
The policy manager tracks the unique MAC addresses that it sees on a daily basis, but the refresh is weekly

From <http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-Guest-Licensing-Question/td-p/88392/highlight/true/page/2>

Guest uses a daily reset model. If you have 1 appliance and use the starter bundle (25 licenses) all for guest, you can authenticate 25 unique MAC addresses per day that are connected by guests (we support bursting so that if you have not purchased the right level of licenses, users are not denied access). The next day you may see some of the same MAC addresses and new ones. If you stay under or at 25 authentications you have enough licensing (again bursting is supported). 
 
The problem starts when you consistently see 30/40/90 authentications per day over 3 months. Then it's time to buy the next level license bundle.
 
Trent
ClearPass Product Management

From <http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-Guest-Licensing-Question/td-p/88392/highlight/true/page/2>

Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Super Contributor I

Re: Clearpass Guest Sizing

This is the calculation that I gotten from Aruba:-

 

Policy manager licensing it’ll display the 30-day average of 7-day totals as calculated on each day. E.g. on day 7 it’ll calculate 7-day total as days1-7, then day 8 it’ll calculate 7-day total as days 2-8. Then, it’ll average these numbers over 30-day period.

 

Gordon

Normal Guy
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: