A simplified look at ClearPass licensing

By Trent Fierro, Blog Contributor
Share Post

I decided to put together a short ClearPass ordering example based on some of the questions I'm seeing in the Airheads community. Let me know what you think.

After deciding on ClearPass to help solve AAA, BYOD, guest and health check use cases, it's finally time to put together a bill-of-material. Let's assume that the customer has 3000 employees and 100 to 200 new guests per day. The starting point is to determine how many devices will be authenticated on a weekly basis (laptops, printers, smart phone, tablets, etc.), and then choose a ClearPass appliance.

Policy Manager: The sizes of the appliances come in 3 models - 500, 5K, or 25K, which can be purchased in either virtual or hardware format. Remember to think devices and not users. Oftentimes when IT does not know the number of devices they will use the number of people multiplied by 2.5 as a baseline, to determine the number of devices.  Let's use 8,000 devices for this example based on the user count from above.

We'll need enough appliance space for 8000 devices in total. This means we will need to purchase the two of the ClearPass 5K appliances in order to accommodate everything because one 5K appliance can't handle the capacity we need.  Two appliances also ensures there's a failover model for short periods and growth potential.

Onboard: If the 3000 employees are allowed to use non-corporate or BYOD endpoints and IT wants to automate the onboarding process you'll need a ClearPass Onboard licenses for each device.  Because you accounted for the total number of devices earlier to size the appliance the number of BYOD MAC addresses you already have enough appliance space. So, let's assume there are 4000 BYOD.  Now you just need 4000 Onboard licenses.

The Onboard licenses will remain on the device until revoked. This means that if the number of BYOD endpoints increases you'll need additional licenses. When someone leaves or a device is lost, revoking licenses allows you to re-use the revoked license.

OnGuard: If the customer wants to perform a health check on all corporate employee laptops they'll order to ClearPass OnGuard. Each device that has a health check performed will consume one OnGuard license. Since every one of the 3000 employees has a corporate laptop that means we need to purchase 3000 OnGuard licenses. Simple...

Guest: To handle guest access, ClearPass Guest licenses are needed for every device that a user connects and is issued login credentials for. Based on the number from above, let's assume we need licensing for 200 guests multiplied by 2.5 (devices), or a total of 500 Guest licenses per day. Guest licenses need to map to the number of devices that are seen on a daily basis. 2.5 as a multiplier was used as guests normally carry laptops, phones and more in an enterprise.

IF there was no entry within ClearPass and credentials are not created there is no need for a guest license. Basic guest that is built into the appliance allows for "using a credential from AD, LDAP, etc." and the use of "social" without a Guest license. When you do not create a specific entry within the Policy Manager you do not consume a ClearPass Guest license.

So  to accommodate the customer needs in this example all we need is:

  • ClearPass Policy Manager – 2 X 5K
  • ClearPass Onboard – 4000 Licenses
  • ClearPass OnGuard – 3000 Licenses
  • ClearPass Guest – 500 Licenses