Security

Hi

I'm currently using ClearPass VM version 6.8 with 1000 Entry licenses. I need to add some additional functionality which is provided by Access licenses - Can I add 100 new Access licenses on existing VM ? I heard that mixing Access/Entry on same VM is not available, but sounds strange to me.

The number of Access Upgrade licenses must match the number of Entry licenses for the system to move from Entry mode to Access mode. 

Refer: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=35811

It isn't strange, Profiling is a functionality that cannot be restricted on 100 devices only if you have 1000 devices in total.

Well, I just need 100 Access licenses to provide full TACACS capabilities for my devices. Nothing related to 802.1X.

So where is logic here ? 

TACACS is working with Entry, but not fully. Bloody true.

My deployment is not so bad, but imagine 20000 endpoints (20k Entry) and TACACS required just for 500 switches. 

If TACACS is a requirement, access license is. Really Entry license is only for customers requiring basic AAA services.

You have an option to spin up a new VM with 100 Access Licenses for TACACS only.

Yes, I know and I will do that. But... it's very unclean solution - I cannot use same system for both TACACS and 802.1x due to stupid licensing limitations.

Maybe good message for ClearPass PLM's: Guys please just introduce Full_TACACS license - costs same as 100 ACCESS licenses it will resolve this issue. I'm sure I'm not only one affected.

Going back to Entry licenses - they're sufficient for most 802.1x deployments. CPPM 6.7 with access licenses was much more expensive comparing to e.g. Cisco ISE or earlier 6.6 licensing. It's just summray what we had in case of our NAC RFP. Without Entry licenses I'm sure right now we will use ISE instead due to lower CAPEX.