Security

Hello,

I have a customer who is using the following setup for its internal users:

=======================================================================================

- users login to a self-registration portal and create an account using their corporate email address in the sponsor field (for accountability)

- users then receive the confirmation email (as a form of validation) and they accept it to activate the account

- users can then use their newly create credentials to logon to the coprorate SSID which uses 802.1X/EAP

=======================================================================================

This is to allow users to create their own account on the fly and still maintain a record of which users have access to the network.

The question is:

- Will this process use any CP Guest licenses?

I believe it shouldn't as the self-registration portal is only used to create the accounts - users then access the network via an internal SSID so they should only use CP Policy Manager licenses, but I am looking for a confirmation.

Many thanks,

G/

If you don't authenticate from the guest dbase, it doesn't increment the guest license count.

EDIT: while the above line is correct, after reading again, you ARE authenticating (dot1x) towards the guestdatabase so yes, you would definitely need guest licenses imho. Pardon my earlier bit of info, I need to read properly. I thought/read you were asking additional info from AD users for example and storing that in the guestdbase.

source:

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/What-is-possible-without-Guest-license/m-p/84292

---

@carlos@arubanetworks.com wrote:

@Hi all, my name is Carlos and I am the product manager for ClearPass @ Aruba Networks so hopefully I can clarify a few things for you.

 

Firstly, you dont need any guest licenses when you are authenticating against an external source eg. an AD, LDAP, SQL (or any of our supported authentication sources).  This is also true in the case of SAML, if the identity store is external to ClearPass (which it will be given CP is a Service Provider and not an Identity Provider for the purposes of SAML), then there is no guest license requirements.  Using our branded captive portals and skin technology is a base platform feature and included for every customer.

 

Secondly, registering a devices MAC address through our web portals and doing subsequent MAC auth to the network also does not require any guest licenses.  So you can have a user login with their AD (or other external) credentials, capture the device MAC address and cache that for subsequent authentication all with the platform features out of the box.

 

The only time guest license are consumed is when you provision an account into the CP Guest database and that guest account is used to authenticate to the network.  So you can actually create 1000s of guest accounts in the database, but if only 100 of those are being used per day, then you only need to support 100 Guest licenses.

 

Now one thing to also remember is that the AAA capacity of the box, and that is something independent to how the user/device authenticates (user/pword, TLS cert, MAC address, etc).  The AAA capacity for our appliances is for 500, 5k or 25k unique endpoints and does support bursting to deal with peaks and exceptions.

 

I hope that clarifies a few things, feel free to reach out to me if you need any more clarification

 

carlos@aruba

---

I am curious to see if you get an official response from Aruba on this.

You've posed an interesting use case. 

One the one hand, I have seen posts by Aruba employees stating that any use of the internal guest database and subsequent logon with one of those accounts will count against your license total.   In your case, creating those accounts would go into the guest database.

On the other hand, ClearPass Guest uses the Active Session table to determine the number of Guests on at any one time.   This information is received from the wireless controller through RADIUS Accounting.  

What is technically allowed vs. how it is calculated seem to conflict, so I am interested in knowning the Aruba take on this scenario, especially for your use case of using the guest database for 802.1X authentications; not guest network authentications.

From what's already been stated in this thread:

• users can then use their newly create credentials to logon to the coprorate SSID which uses 802.1X/EAP

• The only time guest license are consumed is when you provision an account into the CP Guest database and that guest account is used to authenticate to the network

This looks to me like a guest license will be consumed; you are creating a guest database entry, and using it for authentication.

[coprorate?]

I should really learn to spell...

G/

We had a solution similar to this to deal with employees visiting from our other global locations. We have some areas where there is no AD/LDAP and no way to really identify the employees; they do have a company email address though. So we allowed them to register an account (using company email address) and then they would connect to a secure SSID using 802.1X using the account credentials they just created.

I unfortunately never checked to see the Guest license count though.