Aruba Networks’ ClearPass 6.7: New license model – what’s new?

The most important high-level changes are:

• Decoupling of AAA licensing from hardware and Virtual Machine Appliances
• Ability to order appliances (hardware or virtual) independent of capacity licenses.
• Bundling of guest licensing into a new license type called Access. The Access license includes 802.1X, MAC Authentication, TACACS+, Guest, OnConnect, Security Exchange (previously ClearPass Exchange) and Endpoint profiling functionality.
• Access licenses are consumed based upon concurrent authenticated/authorized endpoints.
• Onboard licenses are now consumed based upon the number of users and not per device.

VM/ Hardware appliances

As mentioned above, the AAA licensing will be decoupled from hardware and Virtual Machine Appliances. One virtual appliance SKU and 3 hardware platforms SKUs are available.

ClearPass is currently supported on the following hypervisors:

• VMware vSphere Hypervisor (ESXi) 5.5, 6.0, 6.5, and 6.5 U1
• Microsoft Hyper-V Server 2012 R2 and 2016, Windows Server 2012 R2 with Hyper-V, and Windows Server 2016 with Hyper-V
• KVM on CentOS 6.6, 6.7 and 6.8 (ClearPass 6.7 support for KVM is not yet released).

Application Licenses

ClearPass application licenses are available in three types, Access, Onboard and OnGuard. They are available as perpetual and subscription-based licenses.

Access licenses

The Access license is used to enable 802.1X, MAC Authentication, TACACS+, Guest, OnConnect, Security Exchange (previously ClearPass Exchange) and Endpoint Profiling. Access license consumption is based upon a concurrent session per-endpoint model. Security Exchange and Endpoint Profiling are enabled when any Access license is installed but not restricted to any licensed capacity limits.

OnBoard licenses

The OnBoard license is used to enable automated provisioning and the creation of unique device identity certificates for any Windows, macOS, iOS, Android, ChromeOS, and Linux devices via a user-driven, self-guided portal.

OnBoard license consumption is based upon an active certificate per-user model. For example, if a given user has four devices with an active certificate each, only one OnBoard license is required. If over time, three out of the four devices are retired, and their associated certificates revoked, the fourth device certificate being active will still keep the OnBoard license associated to the user.

OnGuard licenses

ClearPass OnGuard leverages persistent and dissolvable agents to perform advanced endpoint posture assessments over wireless, wired and VPN connections. OnGuard’s health-check capabilities ensure compliance and network safeguards before devices connect. OnGuard license consumption is based upon a per-endpoint model. For example, if the OnGuard persistent agent is to be installed (persistent agent) or used (dissolvable agent) on five endpoints within a 24-hour period, five OnGuard licenses are required.

If you upgrade to Clearpass 6.7, you will need to convert your existing licenses to the new license model. The migration to the 6.7 license model will follow the 1:1 license exchange principle. Examples:

• Legacy ClearPass 5K (e.g. CP-VA-5K) => 5000 Access Licenses (new key) + 1x Platform Activation Key (PAK) for your hardware or VM appliance.
• Legacy ClearPass Onboard 10K => 10K Onboard Licenses (new key)
• Legacy ClearPass OnGuard 5K => 5K OnGuard Licenses (new key)

With the bundling of Guest into Access license, the Guest license type will no longer be available. You will receive additional Access licenses during the conversion.

• Legacy ClearPass Guest 500 => 500 Access Licenses

The Enterprise license type will no longer be available in ClearPass 6.7. An Enterprise license can be converted into X number of Access, Y number of Onboard and Z number of OnGuard license in multiples of 25. For example, a customer with 100 Enterprise licenses can get the following:

• 25 Access + 50 Onboard + 25 OnGuard licenses OR
• 75 Access + 25 Onboard licenses OR
• 100 OnGuard licenses

Most licenses can be converted via the My Networking Portal of HPE/Aruba (An HPE Passport account will be required to login). Due to the multiple options available, Enterprise license conversions requires assistance by Aruba Support and are not supported by the My Networking Places conversion tool. The Enterprise license conversion is a one-time, one-way process per license key.

The new ClearPass 6.7 keys are not immediately required after the upgrade. The Policy Manager license key (previously the 500, 5K and 25K) will auto-convert into a pre-activated Platform Activation Key. The updated system will also be pre-activated with temporary licenses that are set to expire 180 days after the upgrade has completed.

A detailed explanation of the license upgrade process can be found here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=28178

With a valid SecureLink support contract, you can contact the SecureLink service desk and we will help you with the conversion process of your existing ClearPass licenses.

What happens when I exceed a license?

A warning will be displayed in the web user interface as well as over syslog and SNMP

Is the High Capacity Guest (HCG) mode still available?

The bundling of Guest Access into the Access license along with the introduction of the concurrent session per-endpoint consumption model provides a more flexible alternative for customers.

Do I need to double the number of Access licenses for high-availability applications?

Access licenses are shared across all appliances in a cluster.

Is the Enterprise license still available?

The bundling of Guest Access into the Access license and per user Onboard consumption provides more value than the legacy Enterprise license.Do you have a question or would you like more information? Please do not hesitate to contact us.