Security

Hi All,

I've read the "ClearPass-6-0-Licensing-Tech-Note-72413.pdf" guide. It left me with a few minor gaps in my understanding however, specifically in terms of the rolling average vs unique enpoint auths per day. Can anybody clarify please?

Assume you had a very transient environment, and CPPM with a 100 guest user license, and on day 1 you get 100 unique enpoints. Then on day 2, you get 100 different unique enpoints, and so on through the week (shopping centre/mall maybe). Is there a consquence, or does the following (referenced document extract/comment) allow for it?

"The same 7-day rolling average will be used to measure license usage, but this measurement is reset daily to accommodate the short term nature for providing guest access and the high turnover of users."

If it does allow for it, what maths are applied? Is it the count of unique devices for the week divided by 7 (must not be greater than the license limit over time, allowing for burst)? Or something more complex?

Furthermore, I was given to understand that CPPM also measures the license consumption monthly as well as weekly? Is this also true? If so, does it just go back 1 month previous each time, or does it extend back further in some way?

Adding my collected information on this which might or might not enlighten the topic for you ;)

Clearpass Policy Manager

• Licenses based on the number of unique authenticating endpoints (devices) per day
• This is averaged across a 7 day period to take into account normal peaks and valleys to determine whether or not you are exceeding your limit.
• If you exceed your limit you will get a warning in the WebUI
• If it was an abnormal week, nothing will happen and that warning will disappear.
• If you exceed your license count for 4 out of 6 months, you will be locked out of the WebUI until you resolve the issue
• At no point will we disable the system from authenticating users if you exceed the license limit.

Pasted from <http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Clearpass-Guest-Queries/m-p/39894/highlight/true#M605>

Yes...we enact the 7 day moving average to take care of inevitable peaks and valleys in usage of the system.  In the event that you exceed the 25 limit for a trailing 7 days, the system will do the following:

Each month a licensing management feature within ClearPass monitors the 7-day rolling average as described and if capacity is exceeded, then the current month is flagged as “out of policy”.

This will trigger a warning message to the administrator that is displayed on the ClearPass Policy Manager dashboard.

If authentications of guests’ devices continue to exceed 25 devices for 4 months out of a 6 month period the next step is to go beyond the warning message described above and actually lock the administrator out of the Policy Manager GUI.

While users will continue to be authenticated, exceeding the warnings will prevent the administrator from making any policy changes, running any usage reports or troubleshooting any connectivity issues that might arise. 

From <http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-Guest-Licensing-Question/m-p/88392/highlight/true#M6175>

Clearpass Guest

Guest is special, the MAC addresses refresh per day. You end up with a weekly view so that you can see a daily average though.  We understand that in guest environments users come and go on a much quicker basis than in the enterprise itself.

The policy manager tracks the unique MAC addresses that it sees on a daily basis, but the refresh is weekly

From <http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-Guest-Licensing-Question/td-p/88392/highlight/true/page/2>

Guest uses a daily reset model. If you have 1 appliance and use the starter bundle (25 licenses) all for guest, you can authenticate 25 unique MAC addresses per day that are connected by guests (we support bursting so that if you have not purchased the right level of licenses, users are not denied access). The next day you may see some of the same MAC addresses and new ones. If you stay under or at 25 authentications you have enough licensing (again bursting is supported). 

The problem starts when you consistently see 30/40/90 authentications per day over 3 months. Then it's time to buy the next level license bundle.

Trent

ClearPass Product Management

From <http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-Guest-Licensing-Question/td-p/88392/highlight/true/page/2> 

What about in a cluster? If you have two 500 appliances, can you atheneticate 1000 MACs daily or 500?

Well - one of the purposes for the cluster functionality is to increase the amount of devices it can support. So - that would mean 1k devices for a cluster of 2x500 CP's

From a FAQ:

Q: Is there a limit on the number of devices the ClearPass Policy server can support?
A: There is a range that is designated by the physical characteristics of the ClearPass baseline
appliance. To support a greater number of devices, customers can purchase additional
appliances to create a cluster that can support very large numbers of devices. For
additional details and proper sizing of a ClearPass server, check the latest Aruba pricelist.

Makes sense, thanks.

As long as you have at least a couple of NAS with similar loads pools with different server order should work ok.

I have used an F5 before with a RADIUS profile based on username, also works fine. However just found out there is a problem if you need auth and acct for a session to go to the same server.