Security

Reply
Occasional Contributor II

Clearpass Licensing w/ Juniper WLC

I have a very unique situation in our enviroment. We integrate our Juniper WLCs to Clearpass for guest wireless. Our system is setup exactly like this link. Juniper WLC Clearpass Integration 

Unfortunately what ends up happening is we get alot of "null" requests to the SSIDs. For instance when a client connects to the SSID initially, then there is a mac auth sent to Clearpass to create an entry in the Clearpass DB for this client. This rule is setup as an accept all mac auth to build the entry. Regardless of whether or not the client actually logs into the network then we end up burning a license. I am looking for ways to limit how often the same client can perform a MAC auth. I am exploring options on the Juniper side, but wanted to check with the Clearpass community to see if anyones ran across this before. I appreciate any info that anyone has regarding this!

 

Re: Clearpass Licensing w/ Juniper WLC

The rule of thumb is that as soon as you have a successful authentication, ClearPass counts that device against the appliance capacity. So if you don't want it to authenticate, you can use the [MAC AUTH] method, instead of [Allow All MAC AUTH] to only authenticated devices that are set to known in the Endpoint Database. To implement MAC Caching, you can on successful authentication in the Web portal set the endpoint status to known. 

 

You can do that with the [Updated Endpoint Known] Enforcement profile that looks like this:

2017-11-13 17_17_09-ClearPass Policy Manager - Aruba Networks.png

The standard wizard for a Guest with MAC Caching does a lot of this for you, if you need more insight, run the wizard (on a lab/test box; or delete what you don't need afterwards) to see what it creates.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: