Security

Good morning community,

Please could anyone clear these two doubts I have about ClearPass licenses?

1 - The Onboard license is based on the number of onboarded devices, onboarded devices with active/valid certificates. Does this mean a device has been onboarded with an active certificate not need to be authenticated and active in the network for this license to be counted? So if a device onboards and gets an active certificate takes an onboard license, then it disconnects from the network, the onboard license is still counted and not released back to the license pool. Please confirm.

2 - If exceeding the total license count the administrator could be locked out of the Web UI (depending on certain conditions) but authentication won't be affected and users will still be able to authenticate. Does this mean any amount of users will still be able to authenticate indefinitely? For instance, I have 1000 guest licenses and I have exceeded this amount for 5 months, then I will be locked. Will only 1000 guest users be able to authenticate everyday? Or will 2000 guest users be also able to authenticate everyday?

Many thanks in advance,

Julián

Hi,

Until device certificate present in Clearpass, onboard license will be counted. It will release only when we revoke the certificate or delete the onbaord deivce entry from onboarded device list.

We see license exceed alert when Guest license usage count caluclated based on

30 days average of per-day total GREATER_THAN Total count.

If we keep ignore after few days, GUI will get locked but still authentication will happen,CPPM does not reject, even if license count exceed.

Regards,

Pavan

Onboard is a hard license count. The total number of valid TLS client certificates is the Onboard license count.  If they are revoked or expire, that license is returned to the pool.

Yes, authentication will always continue. You should never go that long with an exceeded license though.

Hi Pavan and Tim,

Thanks for your interest. Then I am correct if I say:

1 - Taking into account the certificate is valid, if the device is not present in the network the license is still counted.

2 - Taking into account I have 1000 guest licenses exceeded, 2000 devices and more will be able to authenticate everyday. I know is not recommended to exceed the license capacity and still leave users to authenticate for long time, I am just asking for clarifying.

Regards,

Julián

Hi,

Yes, it will still count license though device is not acitve on network and CPPM does not reject authentication request even guest count license exceeds.

Regards

Pavan

OK, many thanks both for clarifying!

Regards,

Julián

To be clear. If either the policy manager license or guest license is exceeded for 4 out of 6 months, existing guest users can continue to authenticate, but self-registrations (new accounts) will not be able to be created.

Hi Tim,

But is that totally correct? You won't be able to create new guest accounts as long as the Guest UI is locked, but as far as I know this lock is application specific.

I mean if only policy manager licenses are exceeded for 4 out of 6 months, only Policy Manager UI will be locked, but Guest UI will be still available and new guest accounts will be still able to be created. Am I correct?

Regards,

Julián

Policy Manager is a base license which is required for all other functionality. If Policy Manager license is exceeded and goes into violation state (4 out of 6 months), you will not be able to access the guest UI (which includes guest self-registration).

Like I said, you should never be running in a state where this would occur.

Thanks for the clarification!

Regards,

Julián