Security

Reply
Contributor II
Posts: 75
Registered: ‎05-06-2014

What happens if clearpass onguard licence limits are exceeded?

OnGuard licensing seems relatively straightforward, but I have a couple of questions:

1)  What happens if the customer installs the OnGuard agent to more PCs than the installed number of OG licences on the target CPPM cluster?  (do the additional users fail to get the posture protection?)

2)  How does ClearPass monitor the number of OG licences in use?   Presumably it must keep track of the unique devices, running the OG agent, with which it communicates regularly?   If so - does CPPM automatically free up OG licences from clients it hasn't heard from for 'a long time'?   If so - how long is 'a long time'?    {Please don't say you have to manually remove all unwanted clients from a database manually!?}

Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: What happens if clearpass onguard licence limits are exceeded?

OnGuard licensing is not based on number of installs. It is based on the
number of unique clients where posture is used as part of a policy decision.
So the client could be installed on a device, but if you're not checking
posture when the device authenticates, then it will not count as a license.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: What happens if clearpass onguard licence limits are exceeded?

OK Tim - that makes sense (after all, a client, with the agent installed, may never talk to the CPPM).   So ClearPass is monitoring OG (& OG lics), based upon its communications with clients checking posture.  I think it also does this so long as the client and CPPM are in communication, regardless of authentication, doesn't it - e.g. if a client only ever connects to an 'open' company wired LAN?

 

This certanly helps my understanding, but I guess still leaves my original Qs outstanding:  Do you know what happens if the number of OnGuard clients exceeds the number of installed OG lics?    Also; how long before ClearPass clears out licences for agents its no longer hearing from?

 

Thanks!   :)

Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: What happens if clearpass onguard licence limits are exceeded?

Yes, OnGuard can check in with ClearPass without actually using the posture
data in a NAD enforcement.



The way the licensing works is the same as base CPPM. ClearPass counts each
unique device authenticated using posture data over a 7 day window on a
rolling basis. The information is then averaged at the end of the month into
a 7 day rolling average. And just like CPPM, authentication will continue if
you exceed your license for more than 4 months but you will warning messages
in the UI. Please reach out to your Aruba SE if you need more clarity on
this.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: What happens if clearpass onguard licence limits are exceeded?

Thanks for the further clarity, Tim...   :)

Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: What happens if clearpass onguard licence limits are exceeded?

Hi Tim - I note you edited your previous description, in light of me mentioning OnGuard-equipped clients 'checking in' with CPPM over an 'open' corporate wired LAN.  Can I take it, then, that these clients would be counted against the OG license count, even though they may never authenticate, if they're only ever on the wired LAN?

Search Airheads
Showing results for 
Search instead for 
Did you mean: