Security

Hi All

I have recently been looking into Clearpass CPPM licensing and how they are calculated. Despite some very helpful writ-ups and info online, I struggled to find an explanation that made sense to me and that I could completely get my head around, so I decided to write something on here in the hope that it helps someone else.

This is my understanding of how it works and I am more than happy to be corrected if anybody spots any wrong information.

I think the best way to explain it is with an example.

In this example we will say that we have 1 x 5K clearpass server, this gives you 5000 unique endpoints per day, simple??? Not quite!!!
Your daily total is not actually the number of endpoints on that day, but is actually the average number of endpoint over the previous 7 days.

So let’s say that we have the following number of endpoints on the following days;

Day 1 - 4000 endpoints
Day 2 - 6200 endpoints
Day 3 - 5600 endpoints
Day 4 - 4920 endpoints
Day 5 - 6000 endpoints
Day 6 - 4000 endpoints
Day 7 - 3608 endpoints

In this scenario, your licence total on day 8 would be 4904, this is calculated by adding the totals for the previous 7 days and dividing by 7, so.

4000 + 6200 + 5600 + 4920 + 6000 + 4000 + 3608 = 34328
34328 / 7 = 4904

So even though you went over your 5000 licences on day 2, 3 and 5, you are still under your 5000 limit when averaged over 7 days.

For each day, Clearpass will have two figures; the actual number of endpoints for that day (which it obviously won’t know until the end of the day), and the average number of licences it has calculated that you have used per day over the previous 7 days.

However, this is not the total you will see when you look at the licence summary on the Clearpass GUI, this figure is the 30 day average. This is calculated by adding the 7 day averages together over the previous 30 days and dividing by 30.

So our licence total on day 8 is calculated by adding the actual number of endpoints for days 1, 2, 3, 4, 5, 6 and 7 and dividing that number by 7. Our total on day 9 is calculated by adding the number of endpoints for days 2, 3, 4, 5, 6, 7, and 8 (this is our actual number of endpoints, not the 7 day average) and dividing by 7, and so on and so on for the next 30 days.
These 7 day averages are all added together for the previous 30 days and divided by 30 to give us the 30 day average that we see on the licence summary.

I hope this makes sense and is of some help, if you see anything I have got wrong please feel free to correct me.

Thanks

Dave

Dave,

Let me try to give some clarity.

The description you give pretty much is accurate for the ClearPass guest add-on license, with the averaging over 7 days.

For the CPPM appliance itself, there is a unique device count that is determined by the chosen appliance size (500, 5000 or 25K). This is a unique device count for which the appliance has been sized, and going over that may result in performance issues and non-compliant operation. The 7 days come into play as unique MAC addresses are considered no-longer after 7 days. So for the appliance sizing, you should count ALL MAC addresses that connect to the network (successfully authenticate).

Guest works with the average that you explained; Onboard counts the number of certificates issued by the CA that are still valid; OnGuard follows the capacity mechanism that I just explained.

High-capacity Guest mode doubles the appliance capacity by disabling enterprise authentication (802.1x); and considers MAC addresses inactive after 24 hours.

Unfortunately, there has been some conflicting information out in the past. Please work with your local Aruba Sales team or partner in case you have more questions or need help with sizing your ClearPass appliances. Current ClearPass training for ACCA/ACCP is up-to-date. Aruba partners can find more detailed information on Arubapedia for Partners.

Thanks for the reply, I agree that there is alot of confliction information out there, which I may have just inadvertently added to, which is why I struggled to find what I needed. I did open a case, via our support company, and had a call with a TAC engineer who explained the CPPM licencing to me pretty much exactly as I wrote, but I may have misunderstood.

Could you explain what you mean by "The 7 days come into play as unique MAC addresses are considered no-longer after 7 days", and when you say "So for the appliance sizing, you should count ALL MAC addresses that connect to the network (successfully authenticate).", what period is this over?

Thanks

Dave

 The way I always understood it, is that you have several licenses each of which with its own specifics:

1) the built-in policy manager license.

This is set on ordering and only available in 500, 5000 or 25000 variants. Add new appliances to increase the count.

The count for this license is on a on a 7-day rolling average where the daily result then gets fed into a 30-day average. 

The metric used to count is 'authenticating devices per day'. Meaning a device that logs via guest portal and later that day gets mac authenticated only counts as 1 license used ( for that day). The same user that authenticates with 2 devices gets counted twice.

Although I'm unsure what exactly happens when you reach this limit the message is: 'make sure you don't reach it!'. You do get locked out of the management interface.

2) guest/onguard licenses (& enterprise used for this)

available in custom counts

Uses a 7 day rolling avarage to allow peaks above the actual license count.

A device authenticating first on a captive portal and than gets a healthcvheck (onguard) counts towards guest AND onguard licenses on top of the policy manager license (3 licenses used!)

Exceeding the rolling average enough times will get you locked out of the management  interface and leaves only an option to add licenses. Guests will no longer be able to self-register either.

3) onboard licenses (& enterprise used for this)

available in custom counts

actual provisioned devices (no rolling avg). Cannot be exceeded. Won't except new onboarding if there are no licenses available anymore.

4) quick connect

per user / honor based (no enforcement)

This was how I originally expected the CPPM licence count to work, however if this were the case I would expect to see the "Used Count" to reset every morning and start again from 0, however this is not what I saw.

I recently had to take our Clearpass server out of service for a while and expected that, once I stopped sending requests to it, the licence count would return to 0 after 7 days (as I assumed the licences were averaged over 7 days), however they did not. This prompted a call to our support partner, and subsiquently Aruba, for some clarification and this was when the 30 day average was explained to me. Once my Clearpass server had been out of service for 30 days I did indeed see the licence count return to 0.

I'm not sure if this is just the way the count is displayed in the GUI and it is actually calculated differently for the purposes of "enforcement" if the limit is breached. It would seem sensible that the number visible to the administrator is accurate, otherwise it would be very difficult to keep an eye on your licence count.

Thanks

Dave

based on the policy manager license you mentioned that it refresh to zero for the next day. how could i change to this setting? because currently we have CPPM server deployment with 5k license and its prompting us that is exceeded the number of license, the average number of endpoint authenticated per day is 1000 to 2000. could you give us suggestion how could we refresh the endpoint  license used to zero daily or start of the next day?

BR,

Carlo