Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

What happens if clearpass onguard licence limits are exceeded?

This thread has been viewed 2 times

  • 1.  What happens if clearpass onguard licence limits are exceeded?

    Posted Aug 25, 2016 11:06 AM

    OnGuard licensing seems relatively straightforward, but I have a couple of questions:

    1)  What happens if the customer installs the OnGuard agent to more PCs than the installed number of OG licences on the target CPPM cluster?  (do the additional users fail to get the posture protection?)

    2)  How does ClearPass monitor the number of OG licences in use?   Presumably it must keep track of the unique devices, running the OG agent, with which it communicates regularly?   If so - does CPPM automatically free up OG licences from clients it hasn't heard from for 'a long time'?   If so - how long is 'a long time'?    {Please don't say you have to manually remove all unwanted clients from a database manually!?}



  • 2.  RE: What happens if clearpass onguard licence limits are exceeded?

    EMPLOYEE
    Posted Aug 25, 2016 11:24 AM
    OnGuard licensing is not based on number of installs. It is based on the
    number of unique clients where posture is used as part of a policy decision.
    So the client could be installed on a device, but if you're not checking
    posture when the device authenticates, then it will not count as a license.


  • 3.  RE: What happens if clearpass onguard licence limits are exceeded?

    Posted Aug 25, 2016 11:34 AM

    OK Tim - that makes sense (after all, a client, with the agent installed, may never talk to the CPPM).   So ClearPass is monitoring OG (& OG lics), based upon its communications with clients checking posture.  I think it also does this so long as the client and CPPM are in communication, regardless of authentication, doesn't it - e.g. if a client only ever connects to an 'open' company wired LAN?

     

    This certanly helps my understanding, but I guess still leaves my original Qs outstanding:  Do you know what happens if the number of OnGuard clients exceeds the number of installed OG lics?    Also; how long before ClearPass clears out licences for agents its no longer hearing from?

     

    Thanks!   :)



  • 4.  RE: What happens if clearpass onguard licence limits are exceeded?
    Best Answer

    EMPLOYEE
    Posted Aug 25, 2016 11:42 AM
    Yes, OnGuard can check in with ClearPass without actually using the posture
    data in a NAD enforcement.



    The way the licensing works is the same as base CPPM. ClearPass counts each
    unique device authenticated using posture data over a 7 day window on a
    rolling basis. The information is then averaged at the end of the month into
    a 7 day rolling average. And just like CPPM, authentication will continue if
    you exceed your license for more than 4 months but you will warning messages
    in the UI. Please reach out to your Aruba SE if you need more clarity on
    this.


  • 5.  RE: What happens if clearpass onguard licence limits are exceeded?

    Posted Aug 25, 2016 11:49 AM

    Thanks for the further clarity, Tim...   :)



  • 6.  RE: What happens if clearpass onguard licence limits are exceeded?

    Posted Aug 25, 2016 12:13 PM

    Hi Tim - I note you edited your previous description, in light of me mentioning OnGuard-equipped clients 'checking in' with CPPM over an 'open' corporate wired LAN.  Can I take it, then, that these clients would be counted against the OG license count, even though they may never authenticate, if they're only ever on the wired LAN?