Blogs

A simplified look at ClearPass Licensing

By trent posted Nov 03, 2015 04:28 PM

  

A simplified look at ClearPass Licensing

 

I decided to put together a short ClearPass ordering example based on some of the questions I’m seeing in the community. Let me know what you think.

 

After deciding on ClearPass to help solve AAA, BYOD, guest and health check use cases; it’s finally time to put together a bill-of-material. Let’s assume that the customer has 3000 employees and 100 to 200 new guests per day. The starting point is to determine how many devices will be authenticated on a weekly basis (laptops, printers, smart phone, tablets, etc.), and then choose a ClearPass appliance.

 

Policy Manager: The sizes of the appliances come in 3 models - 500, 5K, or 25K, which can be purchased in either virtual or hardware format. Remember to think devices and not users. Oftentimes when IT does not know the number of devices they will use the number of people multiplied by 2.5 as a baseline, to determine the number of devices.  Lets use 8,000 devices for this example based on the user count from above.

 

We’ll need enough appliance space for 8000 devices in total. This means we will need to purchase the two of the ClearPass 5K appliances in order to accommodate everything because one 5K appliance can’t handle the capacity we need.  Two appliances also ensures there’s a failover model for short periods and growth potential.

 

Onboard: If the 3000 employees are allowed to use non-corporate or BYOD endpoints and IT wants to automate the onboarding process you’ll need a ClearPass Onboard licenses for each device.  Because you accounted for the total number of devices earlier to size the appliance the number of BYOD MAC addresses you already have enough appliance space. So, let’s assume there are 4000 BYOD.  Now you just need 4000 Onboard licenses.

 

The Onboard licenses will remain on the device until revoked. This means that if the number of BYOD endpoints increases you’ll need additional licenses. When someone leaves or a device is lost, revoking licenses allows you to re-use the revoked license.

 

OnGuard: If the customer wants to perform a health check on all corporate employee laptops they’ll order to ClearPass OnGuard. Each device that has a health check performed will consume one OnGuard license. Since every one of the 3000 employees has a corporate laptop that means we need to purchase 3000 OnGuard licenses. Simple...

 

Guest: To handle guest access, ClearPass Guest licenses are needed for every device that a user connects and is issued login credentials for. Based on the number from above, let’s assume we need licensing for 200 guests multiplied by 2.5 (devices), or a total of 500 Guest licenses per day. Guest licenses need to map to the number of devices that are seen on a daily basis. 2.5 as a multiplier was used as guests normally carry laptops, phones and more in an enterprise. 

 

IF there was no entry within ClearPass and credentials are not created there is no need for a guest license. Basic guest that is built into the appliance allows for “using a credential from AD, LDAP, etc.” and the use of “social” without a Guest license. When you do not create a specific entry within the Policy Manager you do not consume a ClearPass Guest license.

 

So in order to accommodate the customer needs in this example all we need is:

  • ClearPass Policy Manager – 2 X 5K
  • ClearPass Onboard – 4000 Licenses
  • ClearPass OnGuard – 3000 Licenses
  • ClearPass Guest – 500 Licenses
8 comments
2 views

Comments

cappalli
Sep 29, 2017 08:53 AM

No, one license per machine.

MiniMe
Sep 29, 2017 08:48 AM

Thanks, for OnGuard licenses, it will consume 2 licenses for wired and wireless module in each laptop, right?

cappalli
Sep 29, 2017 08:24 AM

No. It’s per issued certificate. The device is issued one certificate.

MiniMe
Sep 29, 2017 04:41 AM

If the each laptop requires onboarding for wired and wireless module, would it consume 2 Onboard licenses?

cappalli
Apr 21, 2016 07:58 AM

If you don't want to consume guest licenses, your options are:

- policy manager identity store logins (AD, LDAP, etc)
- social network login

rcollins@soliditnetworks.com
Apr 21, 2016 06:51 AM

Trent

 

"IF there was no entry within ClearPass and credentials are not created there is no need for a guest license. Basic guest that is built into the appliance allows for “acceptance of use” and the use of “social” without a Guest license."

Could you elaborate on this for me? I have a client that has an open guest SSID, with their initial enterprise licenses highlight in red. I would like to work on a solution that wouldn't require them purchasing additional guest licenses. Any help would be much appreciated.

 

trent
Dec 01, 2015 04:03 PM

Hi Andy,

 

Separate licenses versus the Enterprise option depends on the customer. Sometimes it's our pricing model, sometimes the TM and SE help a customer choose based on current and future needs. The Enterprise option can provide flexibility if the customer is indecisive in how many BYOD, versus guests, etc.

 

MAC caching won't use up a Guest license when the device connects the next day, but you'll still need space in the appliance for that MAC address on day two, three, etc.The Guest license used on day one was because the user went through the portal and an entry was created within the appliance. Remember there's only "one" license to use the appliance and the space within (500, 5K or 25K). Each MAC address that is connected and authenticated regardless if it used a Guest, Onboard or OnGuard license will need to be accounted for in the appliance.

 

Theoretically you could use more than 8000 spaces across the two appliances if the customer allows for a lot of MAC caching. Luckily there's 2000 spaces left in the example above.

 

 

 

alow
Dec 01, 2015 02:52 PM

A couple of (possibly stupid) questions

 

Firstly why not specify enterprise licenses instead of the individual guest, onboard and onguard licenses?

 

Secondly if you use guest with MAC caching then the next time that guests devices is authenticated (by the devices MAC address) then do they not "consume" an endpoint license (assuming their account is valid for more than one day) so in some cases would you need more than 8000 policy manager licenses.

 

thanks

Andy