Security

Mainly a licensing question.

Is there a rule of thumb for this? e.g. "if there is a certificate issued by Clearpass CA then an OnBoard license is consumed, otherwise only an Access license is consumed" ?

Some specific examples below. For each example please advise how many OnBoard and Access licenses are consumed (if any):

1. A guest self-registers through Clearpass Guest

2. A visitor has a sponsored-guest workflow through Clearpass Guest

3. A dormitory resident connects their laptop to dot1x BYO SSID, goes through OnBoard workflow captive portal, downloads OnBoard agent/cert, reconnects.

4. The same dormitory resident logs into the Device Register page on Clearpass from their PC, and adds an entry for their Games Console on the BYO SSID.

5. The facilities manager logs into the Device Register page and adds entries for each of their 15 new IoT sensors. 5 of the sensors join the network, 10 are never used.

Any other specific example you can suggest from personal experience that seemed unclear at the time?

It looks like I finally found a document that can clearly answer this question!

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=30330

ONBOARD LICENSES
To better understand how Onboard licenses are consumed, consider the following use case:
• 500 users that can onboard their devices as per the BYOD policy. It is estimated that these 500 users have a total of 1,500 devices based upon network usage.

We just need 500 Onboard licenses since the user count is all we care about. The 1,500 devices do not matter. Additionally, Onboard licenses are consumed regardless whether the device is connected to the network or not. The license is consumed as long as there is at least one active certificate associated with a given user.

ClearPass Onboard is licensed per-username for client certs.