Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Licensing Overview
The Policy Manager licensing structure is scalable for any size network, whether small or large. Almost all license management is available within the Policy Manager user interface, and up-to-the-minute usage statistics can be viewed at a granular level.
Permanent, Subscription and Evaluation License Types
Policy Manager licenses are issued as Permanent,Subscription, or Evaluation types:
licenses do not expire. licenses can be valid for one, three, or five years and expire after the specified
licenses are valid for a shorter time period, typically between 90 and 180 days.
|
When a Subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. or Evaluation license expires, Policy Manager continues to operate normally. However, administrators will not be able to make Policy Manager configuration or service changes and upgrades are not operable. A Policy Manager deployment cannot use both subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. and permanent licenses for a license type (for example, an Onboard Application License); they need to be of the same type. |
Policy Manager Platform Licenses
The Policy Manager Platform License is the base-level license and enables Policy Manager on the appliance, including the Policy Manager and Guest user interface. You must have a Policy Manager Platform License for every hardware or virtual appliance. The Policy Manager Platform License is available as a permanent or evaluation license.
If you are upgrading to Policy Manager 6.10 from Policy Manager 6.6.x or later, your existing Policy Manager License key will be automatically converted to a Policy Manager Platform Activation Key (PAK). You will not need to do anything to make the conversion happen, and the legacy Platform Activation Key is preactivated as a Policy Manager Platform License.
If you are a new customer doing a fresh installation of Policy Manager 6.10.x, then use the HPE Networking Support Portal to receive a Platform Activation Key for each Policy Manager appliance and redeem your licenses. For details, refer to Activating a Platform License or Platform Activation Key.
If you do not want to activate a platform license online through Policy Manager, you can activate the license offline by submitting a case through the My Networking portal. For details, refer to Offline License Activation.
If a Platform License is invalid, or does not have a valid Support Agreement Entitlement ID tied to it, an administrator cannot download the Update or Upgrade archive, or install Updates and Upgrades imported for offline systems.
Licensing requirements and procedures vary slightly between ClearPass virtual appliances and ClearPass hardware appliances. For details, see Platform License or Platform Activation Key Requirements.
Application License Types
ClearPass Policy Manager supports the following Application License types:
Entry Licenses
An
license is a basic Application License that supports a limited number of core features, including:MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication
Web-based user registration and authentication (such as self-registration, sponsor based, and social)
Multi-Factor Authentication
OnConnect
Some 360 Security Exchange features, including local Endpoint Context Servers and Context Server Actions for the local host, and XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable./REST Representational State Transfer. REST is a simple and stateless architecture that the web services use for providing interoperability between computer systems on the Internet. In a RESTful web service, requests made to the URI of a resource will elicit a response that may be in XML, HTML, JSON or some other defined format. APIs Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software..
Entry licenses are available as permanent or evaluation licenses, and are supported on Policy Manager 6.8.0 or higher.
|
The Entry license does not include support for the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. authentication and endpoint profiling features supported by the Access license. Entry licenses also do not support non-Local host endpoint context servers or Policy Manager extensions. |
Access Licenses
The Policy Manager features and authentication types, including 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority., MAB MAC Authentication Bypass. Endpoints such as network printers, Ethernet-based sensors, cameras, and wireless phones do not support 802.1X authentication. For such endpoints, MAC Authentication Bypass mechanism is used. In this method, the MAC address of the endpoint is used to authenticate the endpoint., WebAuth, Oauth2, TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. , and Guest authentication. Guest functionality is also embedded in licenses. Access licenses are available as a Permanent, Subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. or Evaluation license. If your Policy Manager server does not have an Access license, the Network Scan feature is disabled, the Span port is set to the default setting. Note that the Network Scan feature is disabled when Device Insight Integration is enabled (see Device Insight Integration Page for more information).
license enables the complete set ofWhen an Access license that was not activated expires, service creation on that Policy Manager server is blocked. For this reason, Aruba recommends that if multiple Access licenses are installed, activate them as soon as they are installed. This ensures that even if one activated Access license is expired, service configuration will be allowed if the other Access Licenses have not yet reached their expiration dates.
|
If you have purchased Access licenses, the licensing system will not accept Entry licenses (or even Entry and Access Upgrade licenses together). |
If you have purchased Access licenses, the ClearPass licensing system will not accept Entry licenses (or even Entry + Access Upgrade licenses). Once you have Access licenses, only Access will load for this function. If Entry and Access Upgrade are not applied in equal quantities, they are treated as Entry licenses only.
If Policy Manager service creation has been blocked due to an Access license that was allowed to expire while it was not activated:
1. Activate the expired license.
2. Verify whether the other Access licenses are still within their valid date range.
3. Activate any other Access licenses that have expired.
Access Upgrade Licenses
An Policy Manager 6.8.0. To upgrade Entry Licenses to Access Licenses, you must purchase an Access Upgrade license for every one of your Entry licenses. For example, if you have ten Entry licenses, you cannot purchase five Access Upgrade licenses and upgrade just five Entry licenses to Access Licenses. You must purchase ten Access Upgrade licenses for the ten Entry licenses for the upgrade to work.
license allows you to upgrade an Entry license to support the complete range of features supported by an Access license. This license is available as a permanent license only, and was introduced in
|
If Entry and Access Upgrade Licenses are not applied in equal quantities, they are treated as Entry licenses only. |
OnGuard/Compliance Suite Licenses
The Policy Manager OnGuard.
and licenses are responsible for all the activities related toAn OnGuard license is a permanent license that does not expire.
A Compliance Suite license is a subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. license available for one, three, or five years.
A Compliance Suite license also allows Policy Manager to integrate with Device Insight.
A Compliance Suite or OnGuard license is consumed for all OnGuard deployments (Persistent and Dissolvable) and any mode of operation (Authentication with Health Checks, Health Check only, Authentication only). A Compliance Suite or OnGuard license is consumed on a device basis for a period of 24 hours.
|
When a Compliance Suite license is installed without an Entry or Access license, the only services that can be configured are Device Insight Integration and OnGuard health checks. |
Onboard Licenses
Subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. or Evaluation license. The minimum number of Onboard licenses is 100.
license usage is computed based on the number of users with Onboard-generated device certificates. It is available as either a Permanent,Application License Consumption
Policy Manager endpoints consume and licenses based on active session counts. The active session is defined as a duration between:
RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting Start and Stop
OnConnect SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address learned and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address removed or aged
If the session cannot be identified (due to a lack of accounting), the Access license is consumed based on the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address for 24 hours.
|
On a Policy Manager system with a valid Access license, TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. sessions are not counted towards Access license consumption. |
|
WebAuth (non-OnConnect), OAuth2, AppAuth, and API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. requests are not counted towards Access license consumption. |
ClearPass 6.11 License Activation
If attempting to upgrade to 6.11.0, keep in mind license activation does not carry forward from 6.9.x and 6.10.x versions. Obtain a copy of all the license keys (Platform, Access, Onboard, OnGuard etc.) prior to moving to ClearPass 6.11. The keys can be viewed from the output of the show license command.
|
The ClearPass 6.11.0 release has tight checks on the license format. Before a ClearPass system is installed with 6.11.0 software, HPE Networking Support Portal should be contacted to replace each legacy license key with an updated license key in the correct format. Legacy license keys are those issued prior to ClearPass 6.8.0, and consist of a single line. The current license key format was introduced in ClearPass 6.8.0, and consists of several lines. |
In case of a ClearPass cluster, run the show license command on publisher (to view all cluster-wide application licenses) and on each subscriber to view its Platform license.
ClearPass 6.11 license activation requires:
1. Backing up existing licenses from ClearPass 6.9.X or 6.10.X systems.
2. Install ClearPass version 6.11.0 or deploy a new 6.11.0 VM Virtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer.. For more information, refer to the ClearPass 6.11 Installation Guide.
3. Add the existing license keys used in the 6.9.X or 6.10.X deployment.
4. Activate the license keys on the 6.11.0 system.
|
Once licenses are re-applied in ClearPass 6.11.0, the system behaves as if the licenses are added for the first time, since the activation state is not ported from legacy 6.9.X or 6.10.X versions to 6.11.0. In this case there is a 90 day period to activate licenses in ClearPass 6.11.0. |