Security

A bit of a weird question perhaps but what's still unclear to me is what features / configs are possible with just a base policy manager license and what features require a guest license.

 

I know what is counted for guest licenses  (authenticated devices) but again, when does it actualy trigger a guest license vs the policy manager license?

 

Anyone ever see any document detailing this? 

Okay i asked something similar which might asnwer your question

 

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Clearpass-Build-in-features/td-p/82168

 

Does this answer your question?

 

Without the guest licesnse you will just have policy manager but not onguard no guest, no onboard, you would have build int features

 

Cheers

Carlos

not realy I fear Carlos.

Does it basically mean that whatever I configure in /guest uses a license?  I'm still confused I fear.

Where did you find that  online configurator thing you mention though? That might actualy be usefull I think. 

Yes you need to buy the license of guest to configure guest features...

Now like it says the tread i gave you before by default it comes with 25 enterprise license which you can use in anything you want... you can use it on 25 guest license...

But you need guest license to make it work, but remenber by default it comes with 25 enterprise license which you can use on the guest module.   Got it?

Cheers

Carlos

I understand the 25 enterprise licenses. What I don't understand is when/what triggers it..

 

Say I redirect a client to a captive portal hosted on the cppm server..  does this already count his device towards the guest count?

What about operator profiles? These are configured from the guest application. Can I use these without guest license?  How would this even get counted with the guest count being per authenticated device?

 

What is or isn't possible without guest license is what I need to know.  

Yes. The 25 free enterprise Lic were away for you to try each of the features even though you don't have Guest, OnBoarding, or OnGuard.

Hi

 

I have the exact same question, what can be done without Guest license? Or more exact, what is OK to do from a license perspective.

 

Let's say I would like to have a plain web login page as Captive portal to authenticate AD users, and assume I have about 4000 users that would use this authentication method. Do I need a Guest license for this purpose?

If I redirect the users to a captive portal on the controller instead, it's free. But do we need Guest licenses for the AD users authenticating if the page is in ClearPass?

 

A second case is SAML authentication in the captive portal. This is also a web login page configured under Guest, will this also require Guest liceses? Assume 4000 users also in this case.

 

A third case is a school that will require students to self register devices the school hand out to them and limit number of devices per user to block users from bring their own devices and connect to the network. In this case a large number of students will use the web login form, but just once to register the device. Most of them in a short period of time just after school start in the authum when they get the devices.

 

It is possible to configure and try with the 25 Enterprise license, but is it OK or not?

I get double messages when talking to the local Aruba Networks reps.

 

Regards

Jonas

Hi all, my name is Carlos and I am the product manager for ClearPass @ Aruba Networks so hopefully I can clarify a few things for you.

 

Firstly, you dont need any guest licenses when you are authenticating against an external source eg. an AD, LDAP, SQL (or any of our supported authentication sources).  This is also true in the case of SAML, if the identity store is external to ClearPass (which it will be given CP is a Service Provider and not an Identity Provider for the purposes of SAML), then there is no guest license requirements.  Using our branded captive portals and skin technology is a base platform feature and included for every customer.

 

Secondly, registering a devices MAC address through our web portals and doing subsequent MAC auth to the network also does not require any guest licenses.  So you can have a user login with their AD (or other external) credentials, capture the device MAC address and cache that for subsequent authentication all with the platform features out of the box.

 

The only time guest license are consumed is when you provision an account into the CP Guest database and that guest account is used to authenticate to the network.  So you can actually create 1000s of guest accounts in the database, but if only 100 of those are being used per day, then you only need to support 100 Guest licenses.

 

Now one thing to also remember is that the AAA capacity of the box, and that is something independent to how the user/device authenticates (user/pword, TLS cert, MAC address, etc).  The AAA capacity for our appliances is for 500, 5k or 25k unique endpoints and does support bursting to deal with peaks and exceptions.

 

I hope that clarifies a few things, feel free to reach out to me if you need any more clarification

 

carlos@aruba

Thank you Carlos!

 

Your answer make the license need much clearer to me.

I think you may need to propagate this information within the sales and technical organization of Aruba Networks. Because I have recieved some strange answers in the past.

 

Regards

Jonas

Thank you for the clarification Carlos, much appreciated.

If you could answer a few more questions to rule out any confusion on my end...

 

1) You say any auth that uses guest database counts towards the guest license limit. This is still per device then? So a guest authenticating his pc and his smartphone on the same day counts for 2 guest licenses?

 

2) We have Local Users, Guest Users, Onboard Devices, Endpoints and Static Host Lists. What counts towards guest license and what doesn't?

 

3) If we've configured cppm to save the users mac-address and then have mac-auth active so that guests don't need to log in manualy on a captive portal after each user-idle-timeout, these do not use a guest license? That means that e.g. a hospital patient would use guest licenses on only 1 day of his stay

 

4) if we do not use mac-auth after the initial captive portal logon, the same guest would count for 1 account (or 2 devices) each day of his visit (thinking the hospital patient here)

 

5) the 'base' policy manager license does not support bursting on any cppm (vm or appliance)?

 

6) you might want to inform your system engineers. This is the first time I've heard the guest database mentioned in an explanation about CPPM guest licensing. The "ClearPass 6.0 Licensing Guide" from December 2012 does not mention anything like this either so realy requires an update as well.