Security

 View Only
Expand all | Collapse all

Clearpass authentication request

This thread has been viewed 5 times
  • 1.  Clearpass authentication request

    Posted Dec 07, 2016 03:28 AM

    Hi,

     

    As per my knowledge each and every request hitting clearpass for authentication, successfull or unsuccessful will consume one license. please confirm if somebody knows more about it.

     

    I have a scenarion where i want to restrict to user to use/authenticate one device, if the same user trying to authenticate with some other device, access denied but in this case will the clearpass utilize two license ?

     

    Is there any other way to cope the situation.

     

     



  • 2.  RE: Clearpass authentication request
    Best Answer

    Posted Dec 07, 2016 04:18 AM

    Policy Manager license are based only on 'Total number of unique MAC address succesfully authenticated'. Clearpass calculates in a rolling average of license. 

     

    Every day Clearpass calculates total unique devices succesfully authenticated in the past 7 days and keep it in cache/memory. Say like today it would have ran from 30th Nov to 6th Dec. Yesterday it should have ran like 29th Nov to 5th Dec. Another process sum all these values every 30 days. If the license cound exceeds the count of license installed, then it will trigger a warning. If the warning limit is reached continuesly for 4 out of 6 months, then Clearpass GUI is locked for changes (Authentication will still continue to work).

     

     

    There are wide possibility of senarios which you have mentioned as stated below:

    * Want to disconnect the 1st connected device and allow 2nd device (this will consume two license as they are two unique devices succesfully authenticated).

    * Want to deny access for new device until the 1st one is disconnected (This will also consume license as, it will allow the second device to connect and then send a CoA with in few seconds).

    * For any other requirment you may have to write a custom SQL query to fetch the previously logged in user informatino and take decision based on that. This can control licnese utilizatoin as we can take desission to send Accept or Reject based on the username, Yet this gets complicated in logic and scalability.

     

    For your first senario, Post-authentication enforcement is applied to restrict based on session count. For this, accounting and Insight should be enabled.