Tutorial submitted by: jsolb
I often get questions from customers and our own organization on how ClearPass licensing works. Also – on the Aruba Airheads forums there are many questions – and answers – on the topic of ClearPass licensing. This document/post seek to summarize that.
Parts of the document is information collected from the Airheads forum – see the reference list at the end.
Please let me know if there are points I'm wrong on, or need further explanation for instance using examples/scenarios.
First - ClearPass Basics
Common for licensing in ClearPass Policy Manager is that it’s counted towards endpoints/devices – and not user accounts. One user may have more than one device and the most common number today is 2-3 and steadily increasing. Remember this when scaling your solution.
ClearPass Policy Manager (CPPM)
New functionality in 6.4!
If you plan to use CPPM ONLY for the Guest application there is a feature you can activate called "High Capacity Guest mode". This doubles the amount of Guest user devices you can authenticate on a single server. Meaning a CP-500 can authenticate 1000 Guest devices. You will need the correct amount of Guest licenses, but this will save you the extra cost of an extra CPPM server if you need between 500-1000 devices.
News in 6.4!
Introducing the High Capacity Guest mode feature where you can have double the amount of Guest devices on a CPPM server. For your CP-500 server you can then authenticate up to 1000 devices. You will need the correct amount of Guest licenses, but this will save you the extra cost of an extra CPPM server if you are slightly above 500 devices.
Not available if you are using High Capacity Guest Mode
ClearPass Policy Manager
You will have to activate the server license through the WebUI within 90 days of installation, but it does not expire.
For Support and be able to update to latest versions and patches through the WebUI you will also need an active support subscription - either ArubaCare or PartnerCare. You buy a subscription for a period of x years and it is NOT automatically renewed. Contact your Partner or Aruba contact for renewal.
NOTE! The system continues to work even with an expired subscription, but no more support or updates until renewal.
Licensing is based on the number of unique authenticating endpoints (devices) per day.
If you reach your limit on your existing system, you can add additional servers to a CPPM cluster to be able to authenticate more devices. See attached figures
The licenses count towards authenticated endpoints connected to a Guest user account, not the guest user account itself.
The CPPM tracks the unique MAC addresses registered on a Guest that it sees on a daily basis, but the refresh is weekly.
If you have one appliance and use the starter bundle (25 Enterprise licenses) all for Guest, you can authenticate 25 unique MAC addresses per day connected by Guests.
The system support bursting so that if you have not purchased the right level of licenses, users are not denied access. The next day you may see some of the same MAC addresses and new ones. If you stay under or at 25 authentications you have enough licensing (again bursting is supported). The problem starts when you consistently see 30/40/90 authentications per day over 3 months. Then it is time to buy the next level license bundle.
Application licenses in CPPM has a centralized license model. The Guest Application license is added to the Publisher and Subscriber nodes use from this pool when authenticating.
Onboard licensing is based on the number of active and unique device certificates that have been provisioned. As the certificates expire or are revoked they will be removed from the license count.
The same model as CPPM for devices that go through a posture/health check.
Example. if you have 2500 devices authenticated through 802.1x, and of these only 1000 are Company owned laptops authenticated daily. You want to do Posture assessment of these 1000 devices, so you will then need 1000 OnGuard licenses.
Thanks to Tim Capalli for pointing out the new features for 6.4
Old question, but just to close it for new readers.
In response to the question from Jonas Hammerbakk.
The licenses will be added together. In your case you will have 100 +25 Guest (/Onboard/Onguard) licenses. So unless you exceed 125 you're OK.
This post makes the license model quite clear.
But what about this case:
On a CPPM server you have 100 Guest licenses.
If the number of guest stays under 100, there are no questions. But if the guest usage rise and go above 100. What will happen now?
Will ClearPass start to count some guests from the default Enterprise license? Or will the guest license be exceeded?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.