Security

Yes a RADIUS session = Access license consumed. Make sure you have RADIUS accounting properly configured on your NADs.

Thanks, unfortunately with proxied RADIUS we have no control over the authentication server so cannot get RADIUS accounting turned on, let along properly configured!  It's fine for our local users.

I was hoping that CPPM could be configured to either realise that two authentication requests for the same username, and device MAC address are the same session so would consume only one license, or as users regularly re-authenticate because of roaming, we could set a low timeout for these proxied sessions?

Thanks, unfortunately with proxied RADIUS we have no control over the authentication server so cannot get RADIUS accounting turned on, let along properly configured!  It's fine for our local users.

I was hoping that CPPM could be configured to either realise that two authentication requests for the same username, and device MAC address are the same session so would consume only one license, or as users regularly re-authenticate because of roaming, we could set a low timeout for these proxied sessions?

ClearPass does do that, the license is consumed based on the MAC address of the device.  If Accounting isn't in place, then you'll see that license count as used for 24 hours.

Thanks, unfortunately with proxied RADIUS we have no control over the authentication server so cannot get RADIUS accounting turned on, let along properly configured!  It's fine for our local users.

I was hoping that CPPM could be configured to either realise that two authentication requests for the same username, and device MAC address are the same session so would consume only one license, or as users regularly re-authenticate because of roaming, we could set a low timeout for these proxied sessions?

Yes a RADIUS session = Access license consumed. Make sure you have RADIUS accounting properly configured on your NADs.

Thanks chulcher,

JTo clarify, does that mean if the same MAC address makes multiple authentications in 24 hours they would only consume one license?  If so, our stats don't bear that out, or we have other devices using up licenses we are not aware of.

Is there any way to interrogate CPPM to extract details of the license usage, to see which MAC addresses are assigned to licenses?

Thanks

ClearPass does do that, the license is consumed based on the MAC address of the device.  If Accounting isn't in place, then you'll see that license count as used for 24 hours.

Thanks, unfortunately with proxied RADIUS we have no control over the authentication server so cannot get RADIUS accounting turned on, let along properly configured!  It's fine for our local users.

I was hoping that CPPM could be configured to either realise that two authentication requests for the same username, and device MAC address are the same session so would consume only one license, or as users regularly re-authenticate because of roaming, we could set a low timeout for these proxied sessions?

Yes a RADIUS session = Access license consumed. Make sure you have RADIUS accounting properly configured on your NADs.

That should be the case, yes.  If you believe that you're seeing otherwise, then I'd recommend opening a case with TAC to help you determine where the discrepancy lies.

Is the license consumption causing an operational issue at this point?

Thanks chulcher,

JTo clarify, does that mean if the same MAC address makes multiple authentications in 24 hours they would only consume one license?  If so, our stats don't bear that out, or we have other devices using up licenses we are not aware of.

Is there any way to interrogate CPPM to extract details of the license usage, to see which MAC addresses are assigned to licenses?

Thanks

ClearPass does do that, the license is consumed based on the MAC address of the device.  If Accounting isn't in place, then you'll see that license count as used for 24 hours.

Thanks, unfortunately with proxied RADIUS we have no control over the authentication server so cannot get RADIUS accounting turned on, let along properly configured!  It's fine for our local users.

I was hoping that CPPM could be configured to either realise that two authentication requests for the same username, and device MAC address are the same session so would consume only one license, or as users regularly re-authenticate because of roaming, we could set a low timeout for these proxied sessions?

Yes a RADIUS session = Access license consumed. Make sure you have RADIUS accounting properly configured on your NADs.

I will do that as the number of licenses used is at least 1,000-1,500 higher than I would expect if it were only assignng one license per MAC.  We don't have a critical problem as we have enough spare licenses at the moment, but I will raise a TAC case as you suggest, to look further into it.

Thanks again for clarifying how it should work

That should be the case, yes.  If you believe that you're seeing otherwise, then I'd recommend opening a case with TAC to help you determine where the discrepancy lies.

Is the license consumption causing an operational issue at this point?

Thanks chulcher,

JTo clarify, does that mean if the same MAC address makes multiple authentications in 24 hours they would only consume one license?  If so, our stats don't bear that out, or we have other devices using up licenses we are not aware of.

Is there any way to interrogate CPPM to extract details of the license usage, to see which MAC addresses are assigned to licenses?

Thanks

ClearPass does do that, the license is consumed based on the MAC address of the device.  If Accounting isn't in place, then you'll see that license count as used for 24 hours.

Thanks, unfortunately with proxied RADIUS we have no control over the authentication server so cannot get RADIUS accounting turned on, let along properly configured!  It's fine for our local users.

I was hoping that CPPM could be configured to either realise that two authentication requests for the same username, and device MAC address are the same session so would consume only one license, or as users regularly re-authenticate because of roaming, we could set a low timeout for these proxied sessions?

David, this is probably expected. All RADIUS authentications that run through ClearPass will consume a license counted against the unique MAC address for 24 hour, unless via accounting ClearPass learns that the session has been terminated. In an eduroam environment, where you don't have accounting, or don't control accounting this may require that you need more licenses than you would need in the case accounting would be implemented.

What typically helps is the Licensing dashboard and Licensing report in ClearPass Insight:

If you need to know which clients are consuming those licenses, you can create a Licensing Report:

When you run the report, the time interval is not relevant as it is a report on the time you run it, you will get a zip file with in it a CSV containing all authentications counting against the licenses (obfuscated MAC&Username to protect the innocent):

This report helped me multiple times to better understand why you see the numbers that you see.

I will do that as the number of licenses used is at least 1,000-1,500 higher than I would expect if it were only assignng one license per MAC.  We don't have a critical problem as we have enough spare licenses at the moment, but I will raise a TAC case as you suggest, to look further into it.

Thanks again for clarifying how it should work

That should be the case, yes.  If you believe that you're seeing otherwise, then I'd recommend opening a case with TAC to help you determine where the discrepancy lies.

Is the license consumption causing an operational issue at this point?

Thanks chulcher,

JTo clarify, does that mean if the same MAC address makes multiple authentications in 24 hours they would only consume one license?  If so, our stats don't bear that out, or we have other devices using up licenses we are not aware of.

Is there any way to interrogate CPPM to extract details of the license usage, to see which MAC addresses are assigned to licenses?

Thanks

ClearPass does do that, the license is consumed based on the MAC address of the device.  If Accounting isn't in place, then you'll see that license count as used for 24 hours.

Thanks, unfortunately with proxied RADIUS we have no control over the authentication server so cannot get RADIUS accounting turned on, let along properly configured!  It's fine for our local users.

I was hoping that CPPM could be configured to either realise that two authentication requests for the same username, and device MAC address are the same session so would consume only one license, or as users regularly re-authenticate because of roaming, we could set a low timeout for these proxied sessions?

Yes a RADIUS session = Access license consumed. Make sure you have RADIUS accounting properly configured on your NADs.

Thank you Herman, I wasn't aware I could get the detail from Insight so that's really useful.  Coupling that with other authentication reports, I have been able to check the data now and I can see that I do simpy have more users roaming on remote sites than I ever expected.

Thanks to all for your help and constructive comments.

David, this is probably expected. All RADIUS authentications that run through ClearPass will consume a license counted against the unique MAC address for 24 hour, unless via accounting ClearPass learns that the session has been terminated. In an eduroam environment, where you don't have accounting, or don't control accounting this may require that you need more licenses than you would need in the case accounting would be implemented.

What typically helps is the Licensing dashboard and Licensing report in ClearPass Insight:

If you need to know which clients are consuming those licenses, you can create a Licensing Report:

When you run the report, the time interval is not relevant as it is a report on the time you run it, you will get a zip file with in it a CSV containing all authentications counting against the licenses (obfuscated MAC&Username to protect the innocent):

This report helped me multiple times to better understand why you see the numbers that you see.

I will do that as the number of licenses used is at least 1,000-1,500 higher than I would expect if it were only assignng one license per MAC.  We don't have a critical problem as we have enough spare licenses at the moment, but I will raise a TAC case as you suggest, to look further into it.

Thanks again for clarifying how it should work

That should be the case, yes.  If you believe that you're seeing otherwise, then I'd recommend opening a case with TAC to help you determine where the discrepancy lies.

Is the license consumption causing an operational issue at this point?

Thanks chulcher,

JTo clarify, does that mean if the same MAC address makes multiple authentications in 24 hours they would only consume one license?  If so, our stats don't bear that out, or we have other devices using up licenses we are not aware of.

Is there any way to interrogate CPPM to extract details of the license usage, to see which MAC addresses are assigned to licenses?

Thanks

ClearPass does do that, the license is consumed based on the MAC address of the device.  If Accounting isn't in place, then you'll see that license count as used for 24 hours.

Thanks, unfortunately with proxied RADIUS we have no control over the authentication server so cannot get RADIUS accounting turned on, let along properly configured!  It's fine for our local users.

I was hoping that CPPM could be configured to either realise that two authentication requests for the same username, and device MAC address are the same session so would consume only one license, or as users regularly re-authenticate because of roaming, we could set a low timeout for these proxied sessions?