Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Anonymous Captive Portal Licensing

This thread has been viewed 2 times

  • 1.  ClearPass Anonymous Captive Portal Licensing

    Posted Dec 17, 2015 11:11 AM

    Hi All, 

     

    I am working on setting up a captive portal solution using ClearPass to provide a number of services.  Among the things I am trying to accomplish are:

     

    1) Allow single click captive portal for basic access

    2) Allow captive portal login for users with AD accounts. 

    3) Allow special guests the ability to self-register with sponsorship

     

    I have all three of these working already, however my concern is about licensing.  The anonymous login option in ClearPass defaults to using a Guest User account.  My understanding of ClearPass licensing is that this consumes a Guest license for each unique MAC address using this login per-day.  We have enough Guest licenses to cover the limited self-registration but not enough to cover a horde of anonymous visitors.  Thus my questions are:

     

    1) Will each anonymous visitor indeed consume a guest license? 

    2) Is there any way to change the authentication source for this single anonymous account to, say the local user repository, so that it does not consumer Guest licenses?  

     

    Thanks! 



  • 2.  RE: ClearPass Anonymous Captive Portal Licensing

    EMPLOYEE
    Posted Dec 21, 2015 04:27 PM

    In the web login page configuration for anonymous logins, there is only 1 guest license that is consumed as you are prompted to create a local guest user to use for authentication on the T&C page. The amount of MAC addresses per day would have to be sized and matched against an appropriate ClearPass policy manager appliance but you should be able to scale this up without additional guest licenses being consumed.



  • 3.  RE: ClearPass Anonymous Captive Portal Licensing

    Posted Dec 23, 2015 09:38 AM

    Hmm, ClearPass licensing has always been rather confusing. You seem to be saying that Guest license consumption is based on the Guest user account and NOT on the unique MAC addresses authenticating as a Guest.  That appears to contradict this forum post: 

    http://community.arubanetworks.com/t5/Mobility-Hero-Tutorials/ClearPass-Licensing-Explained/ta-p/207739

    Which explains Guest licensing thusly:

    ClearPass Guest
The licenses count towards authenticated endpoints connected to a Guest user account, not the guest user account itself.
The CPPM tracks the unique MAC addresses registered on a Guest that it sees on a daily basis, but the refresh is weekly.
 
Example:
If you have one appliance and use the starter bundle (25 Enterprise licenses) all for Guest, you can authenticate 25 unique MAC addresses per day connected by Guests.

    I would be very happy if you are correct and all 5000+ devices authenticating per day using the Anonymous guest user account will only consume a single Guest license (obviously they would still consume 5000+ Policy Manager licenses).  Can you or someone else at Aruba confirm this?  

     

    Thanks! 

     

     

     



  • 4.  RE: ClearPass Anonymous Captive Portal Licensing

    Posted Dec 26, 2015 10:32 AM

    if you have a clearpass Aruba SE around i would contact him / her.