You are here: Change of Behaviors in Previous 6.7.x Releases > Licensing Enhancements in ClearPass 6.7

Licensing Enhancements

The 6.7.0 release introduces major enhancements in the ClearPass licensing platform. The licensing structure is improved to be easily scalable for networks of any size, whether small or large. Almost all license management is available within the Policy Manager user interface, and up-to-the-minute usage statistics can be viewed at a granular level. As part of these changes: (#39222, #39705, #39711, #39716, #41079, #43007, )

* Two new license types are included: the ClearPass Platform Activation Key and the Access License. The ClearPass Platform Activation Key enables ClearPass on the server, and replaces the Policy Manager License. The Access License handles authentications on the system.
* The ClearPass Guest Application License has been deprecated. The Web-Based User Registration and Authentication capability previously enabled with the ClearPass Guest License is now enabled with the new Access Application License. The Onboard Application licenses are now counted per-user rather than per-device.
* Licenses can be purchased in smaller minimum quantities, and additional blocks of licenses can be added in increments as small as 100 or as large as 10K.
* One Virtual Appliance SKU which can be used for the C1000V, C2000V, and C3000V virtual appliance types.
* When a subscription license or an evaluation license expires, ClearPass will continue to work normally but Administrators will not be able to make services configuration changes, and updates and upgrades will not work.
* Now that Guest Application licensing is bundled into the Access Application license and is based upon concurrency, High Capacity Guest mode is no longer required or available. It has been removed from the cluster-wide parameters configuration.
* ClearPass 6.7.0 eliminates the use of the Subscription ID to validate support entitlement for access to the Software Updates portal (for example, posture and profile data updates, firmware and patch updates, and skins). The HPE Passport account credentials that are associated with customers' ClearPass licenses are now used to validate entitlement — this serves to simplify and reduce the frequency of issues previously seen by customers if they updated their support contract but it was not recognized by the Subscription ID. On the Software Updates page, enter your HPE Passport username and password in the HPE Passport Credentials area. We recommend that customers use a “generic” HPE Passport account (for example, clearpass@customerX.com or CustomerXClearPass) to avoid any future issues in the event that an individual employee leaves the business and the HPE Passport account is closed or the password is forgotten. Legacy ClearPass licenses and their associated Subscription ID(s) should be moved to this generic account for validation purposes.
* All license installation is now performed through the Policy Manager user interface. Licenses cannot be installed through the CLI.

ClearPass Platform Activation Key

The ClearPass Activation Key enables ClearPass on the appliance, and replaces the Policy Manager License.

* If you are upgrading to ClearPass 6.7.0 from an earlier version, your existing Policy Manager License Key will be automatically converted to a Platform Activation Key (PAK). You will not need to do anything to make the conversion happen, and the PAK is pre-activated.
* If you are a new customer doing a fresh installation of ClearPass 6.7.0, then in the HPE My Networking Portal you will receive a Platform Activation Key (PAK) for each ClearPass appliance and redeem your licenses. When you first log in to ClearPass, you will be prompted to enter the Platform Activation Key in the license key field of the End-User License Agreement, and then prompted to activate the product. This associates the ClearPass Platform License with the appliance. Remember to activate your Platform Activation Key as soon as it is installed. If it is not activated within 90 days, access to the ClearPass user interface will be locked and must be reopened by TAC.

The ClearPass Platform License is the base-level license and enables ClearPass on the appliance, including the Policy Manager and Guest user interface. You must have a ClearPass Platform license for every appliance. You can activate the license offline by submitting a case through the My Networking portal.

Each hardware and virtual appliance receives a permanent Platform License that never expires.

Application Licenses

ClearPass supports three Application License types: Access, OnGuard, and Onboard. Application licenses can be added for Onboard and OnGuard. To add an application license, go to Administration > Server Manager > Licensing and click Add License. To update or activate an Application License, go to the Administration > Server Manager > Licensing > Applications tab. To activate the license offline, submit a case through My Networking portal.

* Access — The Access license accounts for authentications on the system, and is now based on actual current usage — that is, each user or device consumes an Access License during an active session. The Access License is also no longer associated with an appliance, and Guest functionality is now included in this license. It is available as either a perpetual license, or as a one year, three year, or five year subscription license. The minimum number of Access licenses is 100.
* Onboard — Each Onboard Application License is now computed based on the number of users with Onboard-generated device certificates rather than on the user’s number of enrolled devices. It is available as either a perpetual license, or as a one year, three year, or five year subscription license. The minimum number of Onboard licenses is 100.
* OnGuard — The OnGuard Application License is computed for all endpoints using OnGuard in any mode of operation. It is consumed by device rather than by MAC address or username, and for a period of 24 hours. It is available as either a perpetual license, or as a one year or three year subscription license. The minimum number of OnGuard licenses is 100.

License Tracking

License usage counts are now computed every 15 minutes, and the count on the Administration > Server Manager > Licensing page is updated accordingly.

License Management in the User Interface

* The Administration > Server Manager > Licensing page lets you access and manage your licenses:
- The Add License link lets you add licenses that have been purchased and redeemed in My Networking Portal (MNP), and a new Refresh Count link lets you update the license usage counts to the current moment.
- The License Summary tab now shows the total count and used count for each of the new license types (Access, Onboard, and OnGuard).
- The Servers tab now lets you see information for the ClearPass Platform license on the server (instead of the Enterprise license), and activate or update the Platform license.
- The Applications tab lets you see information for the product Application licenses on the server and activate or update the licenses.
* In Insight, you can go to Dashboard > Licensing to open the Licensing Dashboard page. Three graphs on this page let you view license information for the Access, Onboard, and OnGuard license types:
- Current License Usage (15 minutes interval) — For each type, this graph shows the Total, Exceeds limit, and Used counts over the past 15 minutes.
- License Usage In Last 24 Hours — For each type, this graph shows the Used Count and Available Count for each hour over the past 24 hours.
- Maximum License Usage — For each type, this graph shows the Max used count for a given time frame. This graph can be set for a look-back window of the last 24 hours, one week, or one month.
* In the Policy Manager Dashboard, the pie chart in the License Usage widget shows the Available Count and Used Count for Access, Onboard, and OnGuard Application Licenses.

Licenses in Cluster Scenarios

* All license management operations for a cluster must be performed on the publisher.
* When you add an appliance to a cluster, it loses all of its licenses except for the Platform Activation Key. Any Application Licenses it had before it became a subscriber must then be added to the publisher.
* When you drop an appliance from a cluster, it loses all of its licenses except for the Platform Activation Key.
* When an appliance is manually promoted to publisher, all of its Application Licenses must be reactivated.
* When an appliance is automatically promoted to publisher, there is no change in the status of any of its licenses.
* Licenses are shared by a cluster. For example, if there are five ClearPass appliances in the cluster and a 10K Access license is applied, that capacity is distributed across the cluster as needed.

Insight Reports for Licensing

* Two new licensing reports, Licensing Dashboard and Licensing Report, are added in 6.7.0. These replace the previous System Dashboard and System License Usage reports, which are now deprecated.
* Since Guest functionality is included in the Access License, the Guest License Usage Trend graph is now deprecated.

Upgrade Process Overview

During a ClearPass upgrade the following activities will occur:

* The Policy Manager license (500, 5K, and 25K) will be used as the PAK for ClearPass hardware and virtual appliances. It will also be automatically activated irrespective of Internet access.
* 1000 Access, 100 Onboard, and 100 OnGuard evaluation licenses will be auto-installed in the system with an expiration period of six months.
* The Subscription ID will be replaced by the HPE Passport credentials.

We recommend that you capture the in-use Subscription ID before you upgrade.

The inclusion of the above evaluation licenses for Access, Onboard, and OnGuard licenses ensures that customers can continue operating after the upgrade if there are any issues issuing or converting the license keys to ClearPass 6.7.