07-03-2015 09:16 AM
Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?
I can see that there is no client MAC address associated with VIA client authentications, presumably because the client is hidden behind the NAS (the Aruba controller); it's a layer-3 authentication. Does this mean you could authenticate 1000s of VIA users, without using up any CPPM base licences?
If this is the case, presumably the first limit that would be reached in the system - assuming you have a fat Internet pipe and a 'big' 7200-series controller - would be the ability of your ClearPass server to process all the simultaneous connection requests at the busiest time of the day..? Are there any guidelines anywhere on how many authentications per second the ClearPass hardware appliances can handle?
Solved! Go to Solution.
07-03-2015 09:23 AM
Thanks for your reply Tim... A supplementary question:
If the MAC address can't be used to associate with the device (you agree ClearPass doesn't see the client MAC?) how does ClearPass not double-count PCs when they authenticate to the Wireless network? Or does Clearpass count that as two devices...? Do I need two CPPM licences for every machine that regularly connects using both VIA client and WLAN..?
07-03-2015 09:28 AM
Please work with your Aruba or partner SE on proper scaling because authentications per second varies greatly based on authentication method, role mapping, authorization and number of enforcement rules that have to be evaluated.
07-03-2015 09:50 AM
Thanks again Tim - I will talk to our SE about the CP sizing piece...
On the licensing thing; I can't see a VIA virtual network address within access tracker (?)
I can see a consistent Access Device IP/Port: <the IP address of our controller>
And I can see an End-Host Identifier, which appears to be the registered IP address of each client as it connects
I can also see each Username: as the system I'm looking at uses domain login credentials (incidentally: what would I see if VIA clients were using a machine certificate to authenticate? Presumably not the username!)