Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

This thread has been viewed 2 times

  • 1.  Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

    Posted Jul 03, 2015 12:17 PM

    Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

     

    I can see that there is no client MAC address associated with VIA client authentications, presumably because the client is hidden behind the NAS (the Aruba controller); it's a layer-3 authentication.  Does this mean you could authenticate 1000s of VIA users, without using up any CPPM base licences?

     

    If this is the case, presumably the first limit that would be reached in the system - assuming you have a fat Internet pipe and a 'big' 7200-series controller - would be the ability of your ClearPass server to process all the simultaneous connection requests at the busiest time of the day..?  Are there any guidelines anywhere on how many authentications per second the ClearPass hardware appliances can handle?



  • 2.  RE: Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?
    Best Answer

    EMPLOYEE
    Posted Jul 03, 2015 12:19 PM
    Yes they are counted.


    Thanks,
    Tim


  • 3.  RE: Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

    Posted Jul 03, 2015 12:24 PM

    Thanks for your reply Tim...  A supplementary question:

     

    If the MAC address can't be used to associate with the device  (you agree ClearPass doesn't see the client MAC?) how does ClearPass not double-count PCs when they authenticate to the Wireless network?  Or does Clearpass count that as two devices...?  Do I need two CPPM licences for every machine that regularly connects using both VIA client and WLAN..?



  • 4.  RE: Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

    EMPLOYEE
    Posted Jul 03, 2015 12:29 PM
    VIA's virtual network address should be present in the authentication request.

    Please work with your Aruba or partner SE on proper scaling because authentications per second varies greatly based on authentication method, role mapping, authorization and number of enforcement rules that have to be evaluated.


    Thanks,
    Tim


  • 5.  RE: Do VIA client sessions, authenticated using ClearPass, consume CPPM licences?

    Posted Jul 03, 2015 12:51 PM

    Thanks again Tim - I will talk to our SE about the CP sizing piece...

     

    On the licensing thing; I can't see a VIA virtual network address within access tracker  (?)

    I can see a consistent Access Device IP/Port:   <the IP address of our controller>

    And I can see an End-Host Identifier, which appears to be the registered IP address of each client as it connects

    I can also see each Username: as the system I'm looking at uses domain login credentials  (incidentally:  what would I see if VIA clients were using a machine certificate to authenticate?  Presumably not the username!)