Security

Reply
Contributor II
Posts: 75
Registered: ‎05-06-2014

Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

 

I can see that there is no client MAC address associated with VIA client authentications, presumably because the client is hidden behind the NAS (the Aruba controller); it's a layer-3 authentication.  Does this mean you could authenticate 1000s of VIA users, without using up any CPPM base licences?

 

If this is the case, presumably the first limit that would be reached in the system - assuming you have a fat Internet pipe and a 'big' 7200-series controller - would be the ability of your ClearPass server to process all the simultaneous connection requests at the busiest time of the day..?  Are there any guidelines anywhere on how many authentications per second the ClearPass hardware appliances can handle?

Guru Elite
Posts: 7,991
Registered: ‎09-08-2010

Re: Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

Yes they are counted.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

Thanks for your reply Tim...  A supplementary question:

 

If the MAC address can't be used to associate with the device  (you agree ClearPass doesn't see the client MAC?) how does ClearPass not double-count PCs when they authenticate to the Wireless network?  Or does Clearpass count that as two devices...?  Do I need two CPPM licences for every machine that regularly connects using both VIA client and WLAN..?

Guru Elite
Posts: 7,991
Registered: ‎09-08-2010

Re: Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

VIA's virtual network address should be present in the authentication request.

Please work with your Aruba or partner SE on proper scaling because authentications per second varies greatly based on authentication method, role mapping, authorization and number of enforcement rules that have to be evaluated.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

Thanks again Tim - I will talk to our SE about the CP sizing piece...

 

On the licensing thing; I can't see a VIA virtual network address within access tracker  (?)

I can see a consistent Access Device IP/Port:   <the IP address of our controller>

And I can see an End-Host Identifier, which appears to be the registered IP address of each client as it connects

I can also see each Username: as the system I'm looking at uses domain login credentials  (incidentally:  what would I see if VIA clients were using a machine certificate to authenticate?  Presumably not the username!)

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: