Licensing Overview
The Policy Manager licensing structure is scalable for networks of any size, whether small or large. Almost all license management is available within the Policy Manager user interface, and up-to-the-minute usage statistics can be viewed at a granular level.
Permanent, Subscription and Evaluation License Types
Policy Manager licenses are issued as Permanent,Subscription, or Evaluation types:
licenses do not expire.
licenses can be valid for one, three, or five years and expire after the specified subscriptionA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. period.
licenses are valid for a shorter time period, typically between 90 and 180 days.
|
|
When a SubscriptionA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. or Evaluation license expires, Policy Manager continues to operate normally. However, administrators will not be able to make Policy Manager configuration or service changes and upgrades are not operable. A Policy Manager deployment cannot use both subscriptionA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. and permanent licenses for a license type (for example, an Onboard Application License); they need to be of the same type. |
Policy Manager Platform Licenses
The Policy Manager Platform License is the base-level license and enables Policy Manager on the appliance, including the Policy Manager and Guest user interface. You must have a Policy Manager Platform License for every hardware or virtual appliance. The Policy Manager Platform License is available as a permanent or evaluation license.
If you are upgrading to Policy Manager 6.9 from Policy Manager 6.6.x or later, your existing Policy Manager License key will be automatically converted to a Policy Manager Platform Activation Key (PAK). You will not need to do anything to make the conversion happen, and the legacy Platform Activation Key is preactivated as a Policy Manager Platform License.
If you are a new customer doing a fresh installation of Policy Manager 6.9.x, then you can use the Aruba Support Portal to receive a Platform Activation Key for each Policy Manager appliance and redeem your licenses. For details, refer to Activating a Platform License or Platform Activation Key.
If you do not want to activate a platform license online through Policy Manager, you can activate the license offline by submitting a case through the My Networking portal. For details, refer to Offline License Activation.
Licensing requirements and procedures vary slightly between ClearPass virtual appliances and ClearPass hardware appliances. For details, see Platform License or Platform Activation Key Requirements.
Application License Types
ClearPass Policy Manager supports the following Application License types:
Entry Licenses
An license is a basic Application License that supports a limited number of core features, including:
MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication
Web-based user registration and authentication (such as self-registration, sponsor based, and social)
Multi-Factor Authentication
OnConnect
Some 360 Security Exchange features, including local Endpoint Context Servers and Context Server Actions for the local host, and XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable./RESTRepresentational State Transfer. REST is a simple and stateless architecture that the web services use for providing interoperability between computer systems on the Internet. In a RESTful web service, requests made to the URI of a resource will elicit a response that may be in XML, HTML, JSON or some other defined format. APIsApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software..
Entry licenses are available as permanent or evaluation licenses, and are supported on Policy Manager 6.8.0 or higher.
|
|
The Entry license does not include support for the TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. authentication and endpoint profiling features supported by the Access license. Entry licenses also do not support non-Local host endpoint context servers or Policy Manager extensions. |
Access Licenses
The license enables the complete set of Policy Manager features and authentication types, including 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority., MABMAC Authentication Bypass. Endpoints such as network printers, Ethernet-based sensors, cameras, and wireless phones do not support 802.1X authentication. For such endpoints, MAC Authentication Bypass mechanism is used. In this method, the MAC address of the endpoint is used to authenticate the endpoint., WebAuth, Oauth2, TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. , and Guest authentication. Guest functionality is also embedded in licenses. Access licenses are available as a Permanent, SubscriptionA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. or Evaluation license. If your Policy Manager server does not have an Access license, the Network Scan feature is disabled, the Span port is set to the default setting. Note that the Network Scan feature is disabled when Device Insight Integration is enabled (see Device Insight Integration Page for more information).
When an Access license that was not activated expires, service creation on that Policy Manager server is blocked. For this reason, Aruba recommends that if multiple Access licenses are installed, activate them as soon as they are installed. This ensures that even if one activated Access license is expired, service configuration will be allowed if the other Access Licenses have not yet reached their expiration dates.
|
|
If you have purchased Access licenses, the licensing system will not accept Entry licenses (or even Entry and Access Upgrade licenses together). |
If your have purchased Access licenses, the ClearPass licensing system will not accept Entry licenses (or even Entry + Access Upgrade licenses). Once you have Access licenses, only Access will load for this function. If Entry and Access Upgrade are not applied in equal quantities, they are treated as Entry licenses only.
If Policy Manager service creation has been blocked due to an Access license that was allowed to expire while it was not activated:
1. Activate the expired license.
2. Verify whether the other Access licenses are still within their valid date range.
3. Activate any other Access licenses that have expired.
Access Upgrade Licenses
An license allows you to upgrade an Entry license to support the complete range of features supported by an Access license. This license is available as a permanent license only, and was introduced in Policy Manager 6.8.0. To upgrade Entry Licenses to Access Licenses, you must purchase an Access Upgrade license for every one of your Entry licenses. For example, if you have ten Entry licenses, you cannot purchase five Access Upgrade licenses and upgrade just five Entry licenses to Access Licenses. You must purchase ten Access Upgrade licenses for the ten Entry licenses for the upgrade to work.
|
|
If Entry and Access Upgrade Licenses are not applied in equal quantities, they are treated as Entry licenses only. |
OnGuard / Compliance Suite Licenses
The and licenses are responsible for all the activities related to Policy Manager OnGuard.
An OnGuard license is a permanent license that does not expire.
A Compliance Suite license is a subscriptionA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. license available for one, three, or five years.
A Compliance Suite license also allows Policy Manager to integrate with Device Insight.
A Compliance Suite or OnGuard license is consumed for all OnGuard deployments (Persistent and Dissolvable) and any mode of operation (Authentication with Health Checks, Health Check only, Authentication only). A Compliance Suite or OnGuard license is consumed on a device basis for a period of 24 hours.
|
|
When a Compliance Suite license is installed without an Entry or Access license, the only services that can be configured are Device Insight Integration and OnGuard health checks. |
Onboard Licenses
license usage is computed based on the number of users with Onboard-generated device certificates It is available as either a Permanent, SubscriptionA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. or Evaluation license. The minimum number of Onboard licenses is 100.
Application License Consumption
Policy Manager endpoints consume and licenses based on active session counts. The active session is defined as a duration between:
RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting Start and Stop
OnConnect SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address learned and MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address removed or aged
If the session can't be identified (due to a lack of accounting), the Access license is consumed based on the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address for 24 hours.
|
|
On a Policy Manager system with a valid Access license, TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. sessions are not counted towards Access license consumption. |
|
|
WebAuth (non-OnConnect), OAuth2, AppAuth, and APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. requests are not counted towards Access license consumption. |
Was this information helpful?
Great! Thanks for the feedback
Sorry about that! How can we improve it? Send your comments and suggestions!