Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎03-20-2013

Clearpass Licensing

There have been a number of Aruba articles about Clearpass Licensing and I am still confused.  I understand how endpoints are calculated by do not understand the differences between different licenses required.

Firstly, there are references to Guest licensing and Policy Manager licensing - are these one and the same, as there seems to be no licensing configuration within Guest, and CPPM Policy Manager licenses used match the endpoints expected.  Can anyone confirm this or if there is a separate license for Guest as well as the Policy Manager license ?

Secondly, with a recently purchased 5K appliance, there are 500 Policy Manager licences and 500 Clearpass Enterprise licences.  Can the Policy Manager licences required burst beyond 500 and use the Enterprise licences (so long as the Enterprise functionality is not used) ?

 

Thanks,

Scott.

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Clearpass Licensing

There are 4 types of lic

 

Core lic: lic that come with each appliance/VM (if you bought a 5k then you will get 5k core lic)

Guest: Lic that is used if a guest is created in cppm guest user repository

Onguard: Lic that is used if a device is postured with an agent (Persistent or disolvable)

Onboard: Lic that is used if you issue a certificate to a device with CPPM

 

if you had a guest that connected to CPPM and they created a guest account then it would use

 

1 core lic

1 guest lic

 

if you had a employee that onboarded a device and is scanned when they connect then you would use

 

1 core lic

1 onboard

1 onguard.

 

Does this help?

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 19
Registered: ‎03-20-2013

Re: Clearpass Licensing

Thanks for the quick reply.

So how do I determine how many Core Licences I have in use or do I have to calculate that manually ?  Each of the CPPM's we have all list POLICY MANAGER and CLEARPASS ENTERPRISE - and how many we have for each and how many are in use.

Cheers

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Clearpass Licensing

Remember that all feature lic (guest, onboard, onguard or in your case enterprise which covers all 3 are shared within a cluster. Each appliance can grab from that single pool of lic.)

 

There a 3 different ways you can check lic.

 

1. On the Publisher you can check under lic.

2. You can run an insight report

3. if you have Splunk you can add the CPPM module.

 

Screen Shot 2015-05-13 at 2.33.09 PM.png

 

Screen Shot 2015-05-13 at 2.34.00 PM.png

 

Screen Shot 2015-05-13 at 2.37.15 PM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 19
Registered: ‎03-20-2013

Re: Clearpass Licensing

Hi again.

Really sorry but penny not dropping into place for me.

 

From your first example for a Guest user, I need one Core lic and one Guest lic.

On our CP500, we have 500 Policy Manager lic and 25 Enterprise lic - this is from CPPM (Admin, Server Manager, Licensing)

On the same CP500 I have created over 1000 user accounts and the used licences does not change. 

When I connected with a Guest device, the Policy Manager lic used increases to 1.

 

Hence my confusion - does the Core lic therefore match the Guest endpoints in the background ?  Or have I exceeded this with the number of Guests I have created (even though they are not all in use at same time).  Or is the Core lic a virtual licence that does not matter so long as the Guest is correctly licenced with Policy Manager licences ?

 

Thanks again.

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Clearpass Licensing

Usage is based on active devices. 

 

You can create as many accounts that you want. It will only go against lic when they are active on the network and authenticate against CPPM

 

If you created 1000 accounts and only 10 connected that day then you would use 

 

10 core lic

10 guest or enterprise lic

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I
Posts: 36
Registered: ‎06-05-2014

Re: Clearpass Licensing

In Onboard, will there be used one license for each Certificate or for each Onboarded Device?

 

I created two certs. One using the OnBoard self service portal and one by manually generating a CSR.

I thought only Onboarded Devices will need a license and manually generated certificates are "free".

 

Onboard.JPG


Sven
ACMP + ACCP
Guru Elite
Posts: 8,197
Registered: ‎09-08-2010

Re: Clearpass Licensing

It's per signed certificate (which generally is a device)


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: