Transcription

SCALING & ORDERING GUIDEClearPass Policy ManagerINTRODUCTIONClearPass Policy Manager, part of the Aruba 360 Secure Fabric, provides role- and device-based secure network access controlfor IoT, BYOD, corporate devices, as well as employees, contractors and guests across any multivendor wired, wireless and VPNinfrastructure.At a high level, ClearPass Policy Manager offers the following appliance and license options with more in-depth details later inthis document. Hardware and virtual appliances for high availability and/or performance requirements.Two ‘base’ level licenses depending on intended use cases.o Access licenses (introduced in Policy Manager 6.7) include features for Secure NAC use-caseso Entry licenses (introduced in Policy Manager 6.8) include features for Basic NAC use-cases. Entry licenses canbe upgraded to Access using a special Access Upgrade license should customer use cases change.Two add-on licenses for additional functionality depending on intended use cases.o Onboard provides automated provisioning and creation of unique device identity certificates.o OnGuard provides endpoint posture assessments over wireless, wired and VPN connections.Easy to understand license consumption methodologyo Access and Entry licenses are consumed based upon concurrent authenticated/authorized endpoints.o Onboard licenses are consumed based upon the number of users and not per device.o OnGuard licenses are consumed based upon the number of devices it is installed on.APPLIANCE & BASE APPLICATION LICENSESAppliancesClearPass hardware (specification later in this document) or virtual appliances are available for purchase using the followingSKUs.Hardware Appliances1Part NumberDescriptionJZ508AAruba ClearPass C1000 S-1200 R4 HW-Based ApplianceJZ509AAruba ClearPass C2000 DL20 Gen 9 HW-Based ApplianceJZ510AAruba ClearPass C3000 DL360 Gen 9 HW-Based ApplianceR1V82AAruba ClearPass C3010 DL360 Gen 10 HW-Based Appliance1One year parts warranty and can be extended with a support contract.Redundant/Spare Power SuppliesPart NumberDescriptionJX923AAruba ClearPass DL20 Spare Power Supply (for use with JZ509A)JX922AAruba ClearPass-Airwave DL360 500W Spare Power Supply (for use with JZ510A)R1T38AAruba DL360 Gen10 500W Spare PSU (for use with R1V82A)

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGERVirtual Appliances2Part NumberDescriptionJZ399AAEAruba ClearPass Cx000V VM-Based Appliance E-LTU2This single SKU is used to order a Virtual Appliance irrespective of model type, e.g. C1000VBase Application LicensesClearPass Policy Manager ‘base’ application licenses are available in two types, Entry or Access.ACCESS LICENSESAccess licenses (introduced in Policy Manager 6.7) include features designed for Secure NAC use-cases. 802.1XMAC-AuthenticationWeb Based User Registration and Authentication (captive portal authentication)Multi-Factor Authentication (MFA)TACACS for Device Administration (e.g. Router, Switch, Controller, Firewall, etc)OnConnectSystem APIs360 Security Exchange (previously ClearPass Exchange)Standard endpoint visibility (also known as device fingerprinting)Access license consumption is based upon a concurrent session per-endpoint model. The 360 Security Exchange, standardendpoint visibility (also known as device fingerprinting) and TACACS are enabled when at least 100 Access licenses areinstalled but do not consume any Access licenses when used.A session is considered active when an endpoint is authenticated/authorized and actively connected to the network. When anew endpoint establishes a session, an Access license is removed from the pool. When the endpoint discontinues the session,an Access license is returned to the pool. Session checks are performed every 15 minutes. If the end of the session cannot beidentified (e.g. no accounting), the license will be removed from the pool for a period of 24 hours from the time the endpointauthenticated/authorized and connected to the network.The method to determine an active session depends on the access method per the following table.Access MethodSession BeginsSession Ends802.1XRADIUS Accounting STARTRADIUS Accounting STOPMAC AuthenticationRADIUS Accounting STARTRADIUS Accounting STOPCaptive PortalRADIUS Accounting STARTRADIUS Accounting STOPVPNRADIUS Accounting STARTRADIUS Accounting STOPOnConnectMAC Learned (mac-notify or link-up)MAC Removed/Aged (mac-notify or link-down)Access licenses are available as perpetual or subscription-based licenses from 100 to 100K concurrent endpoints. MultipleAccess licenses can be installed on a standalone appliance or cluster for increased licensed capacity, for example 100 100 100 300. Subscription licenses (which include support) are tracked both on licensed capacity and term. If two subscriptionlicenses are installed 6 months apart, the total term will be one and a half years however in the last 6 months, the licensedcapacity will drop to the remaining valid subscription.

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGERAccess licenses are available per the following table.Access Licenses – Perpetual3Part NumberDescriptionJZ400AAEAruba ClearPass New Licensing Access 100 Concurrent Endpoints E-LTUJZ401AAEAruba ClearPass New Licensing Access 500 Concurrent Endpoints E-LTUJZ402AAEAruba ClearPass New Licensing Access 1K Concurrent Endpoints E-LTUJZ403AAEAruba ClearPass New Licensing Access 2500 Concurrent Endpoints E-LTUJZ404AAEAruba ClearPass New Licensing Access 5K Concurrent Endpoints E-LTUJZ405AAEAruba ClearPass New Licensing Access 10K Concurrent Endpoints E-LTUJZ406AAEAruba ClearPass New Licensing Access 25K Concurrent Endpoints E-LTUJZ407AAEAruba ClearPass New Licensing Access 50K Concurrent Endpoints E-LTUJZ408AAEAruba ClearPass New Licensing Access 100K Concurrent Endpoints E-LTU3Includes 90-day software warranty and can be extended with a support contract.Access Licenses – Subscription 1 YearPart NumberDescriptionJZ409AAEAruba ClearPass New Licensing Access 100 Concurrent Endpoints 1yr E-STUJZ410AAEAruba ClearPass New Licensing Access 500 Concurrent Endpoints 1yr E-STUJZ411AAEAruba ClearPass New Licensing Access 1K Concurrent Endpoints 1yr E-STUJZ412AAEAruba ClearPass New Licensing Access 2500 Concurrent Endpoints 1yr E-STUJZ413AAEAruba ClearPass New Licensing Access 5K Concurrent Endpoints 1yr E-STUJZ414AAEAruba ClearPass New Licensing Access 10K Concurrent Endpoints 1yr E-STUJZ415AAEAruba ClearPass New Licensing Access 25K Concurrent Endpoints 1yr E-STUJZ416AAEAruba ClearPass New Licensing Access 50K Concurrent Endpoints 1yr E-STUJZ417AAEAruba ClearPass New Licensing Access 100K Concurrent Endpoints 1yr E-STUAccess Licenses – Subscription 3 YearPart NumberDescriptionJZ418AAEAruba ClearPass New Licensing Access 100 Concurrent Endpoints 3yr E-STUJZ419AAEAruba ClearPass New Licensing Access 500 Concurrent Endpoints 3yr E-STUJZ420AAEAruba ClearPass New Licensing Access 1K Concurrent Endpoints 3yr E-STUJZ421AAEAruba ClearPass New Licensing Access 2500 Concurrent Endpoints 3yr E-STUJZ422AAEAruba ClearPass New Licensing Access 5K Concurrent Endpoints 3yr E-STUJZ423AAEAruba ClearPass New Licensing Access 10K Concurrent Endpoints 3yr E-STUJZ424AAEAruba ClearPass New Licensing Access 25K Concurrent Endpoints 3yr E-STUJZ425AAEAruba ClearPass New Licensing Access 50K Concurrent Endpoints 3yr E-STUJZ426AAEAruba ClearPass New Licensing Access 100K Concurrent Endpoints 3yr E-STU

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGERAccess Licenses – Subscription 5 YearPart NumberDescriptionJZ427AAEAruba ClearPass New Licensing Access 100 Concurrent Endpoints 5yr E-STUJZ428AAEAruba ClearPass New Licensing Access 500 Concurrent Endpoints 5yr E-STUJZ429AAEAruba ClearPass New Licensing Access 1K Concurrent Endpoints 5yr E-STUJZ430AAEAruba ClearPass New Licensing Access 2500 Concurrent Endpoints 5yr E-STUJZ431AAEAruba ClearPass New Licensing Access 5K Concurrent Endpoints 5yr E-STUJZ432AAEAruba ClearPass New Licensing Access 10K Concurrent Endpoints 5yr E-STUJZ433AAEAruba ClearPass New Licensing Access 25K Concurrent Endpoints 5yr E-STUJZ434AAEAruba ClearPass New Licensing Access 50K Concurrent Endpoints 5yr E-STUJZ435AAEAruba ClearPass New Licensing Access 100K Concurrent Endpoints 5yr E-STUENTRY LICENSESEntry licenses (introduced in Policy Manager 6.8) include features designed for Basic NAC use-cases. 802.1XMAC-AuthenticationWeb Based User Registration and Authentication (captive portal authentication)Multi-Factor Authentication (MFA)OnConnectSystem APIsA session is considered active when an endpoint is authenticated/authorized and actively connected to the network. When anew endpoint establishes a session, an Entry license is removed from the pool. When the endpoint discontinues the session, anEntry license is returned to the pool. Session checks are performed every 15 minutes. If the end of the session cannot beidentified (e.g. no accounting), the license will be removed from the pool for a period of 24 hours from the time the endpointauthenticated/authorized and connected to the network.The method to determine an active session depends on the access method per the following table.Access MethodSession BeginsSession Ends802.1XRADIUS Accounting STARTRADIUS Accounting STOPMAC AuthenticationRADIUS Accounting STARTRADIUS Accounting STOPCaptive PortalRADIUS Accounting STARTRADIUS Accounting STOPVPNRADIUS Accounting STARTRADIUS Accounting STOPOnConnectMAC Learned (mac-notify or link-up)MAC Removed/Aged (mac-notify or link-down)Entry licenses are available as perpetual licenses from 100 to 100K concurrent endpoints. Multiple Entry licenses can beinstalled on a standalone appliance or cluster for increased licensed capacity, for example 100 100 100 300.Entry licenses can be upgraded to Access using the Access Upgrade licenses. Upgrading to Access would add the followingfeatures: TACACS for Device Administration (e.g. Router, Switch, Controller, Firewall, etc)360 Security Exchange (previously ClearPass Exchange)Standard endpoint visibility (also known as device fingerprinting)

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGERThe number of Access Upgrade licenses must match the number of Entry licenses for the system to move from Entry mode toAccess mode. Onboard add-on application licenses can be added on top of a system running in Entry or Access mode, butOnGuard can only be installed on a system running in Access mode.Entry licenses are available per the following table.Entry Licenses – Perpetual3Part NumberDescriptionR1U35AAEAruba ClearPass New Licensing Entry 100 Concurrent Endpoints E-LTUR1U36AAEAruba ClearPass New Licensing Entry 500 Concurrent Endpoints E-LTUR1U37AAEAruba ClearPass New Licensing Entry 1K Concurrent Endpoints E-LTUR1U38AAEAruba ClearPass New Licensing Entry 2500 Concurrent Endpoints E-LTUR1U39AAEAruba ClearPass New Licensing Entry 5K Concurrent Endpoints E-LTUR1U40AAEAruba ClearPass New Licensing Entry 10K Concurrent Endpoints E-LTUR1U41AAEAruba ClearPass New Licensing Entry 25K Concurrent Endpoints E-LTUR1U42AAEAruba ClearPass New Licensing Entry 50K Concurrent Endpoints E-LTUR1U43AAEAruba ClearPass New Licensing Entry 100K Concurrent Endpoints E-LTU3Includes 90-day software warranty and can be extended with a support contract.Access Upgrade licenses are available per the following table.Access Upgrade Licenses – Perpetual3Part NumberDescriptionR1U44AAEAruba ClearPass New Licensing Access Upgrade 100 Concurrent Endpoints E-LTUR1U45AAEAruba ClearPass New Licensing Access Upgrade 500 Concurrent Endpoints E-LTUR1U46AAEAruba ClearPass New Licensing Access Upgrade 1K Concurrent Endpoints E-LTUR1U47AAEAruba ClearPass New Licensing Access Upgrade 2500 Concurrent Endpoints E-LTUR1U48AAEAruba ClearPass New Licensing Access Upgrade 5K Concurrent Endpoints E-LTUR1U49AAEAruba ClearPass New Licensing Access Upgrade 10K Concurrent Endpoints E-LTUR1U50AAEAruba ClearPass New Licensing Access Upgrade 25K Concurrent Endpoints E-LTUR1U51AAEAruba ClearPass New Licensing Access Upgrade 50K Concurrent Endpoints E-LTUR1U52AAEAruba ClearPass New Licensing Access Upgrade 100K Concurrent Endpoints E-LTU3Includes 90-day software warranty and can be extended with a support contract.

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGERADD-ON APPLICATION LICENSESClearPass Policy Manager ‘add-on’ application licenses are available in two types, Onboard and OnGuard.ONBOARD LICENSESThe Onboard license is used to enable automated provisioning and the creation of unique device identity certificates for anyWindows, macOS, iOS, Android, ChromeOS, and Linux devices via a user driven, self-guided portal. Onboard licenseconsumption beginning with ClearPass 6.7 is based upon an active certificate per-user model. For example, if a given user hasfour devices with an active certificate each, only one Onboard license is required. If over time, three out of the four devices areretired, and their associated certificates revoked, the fourth device certificate being active will still keep the Onboard licenseassociated to the user. The intentional onboarding of large numbers of devices by a single user to avoid purchasing Onboardlicenses is a violation of the End-User Software License Agreement.Onboard can be installed on system that is running in either Entry or Access mode. It cannot be installed directly on to anappliance without any Entry or Access licenses. Onboard licenses are available as perpetual or subscription-based licenses from100 to 100K concurrent endpoints. Multiple Onboard licenses can be installed on a standalone appliance or cluster forincreased licensed capacity, for example 100 100 100 300. Subscription licenses (which include support) are tracked bothon licensed capacity and term. If two subscription licenses are installed 6 months apart, the total term will be one and a halfyears however in the last 6 months, the licensed capacity will drop to the remaining valid subscription.Onboard licenses are available per the following table.Onboard Licenses – Perpetual3Part NumberDescriptionJZ436AAEAruba ClearPass New Licensing Onboard 100 Users E-LTUJZ437AAEAruba ClearPass New Licensing Onboard 500 Users E-LTUJZ438AAEAruba ClearPass New Licensing Onboard 1K Users E-LTUJZ439AAEAruba ClearPass New Licensing Onboard 2500 Users E-LTUJZ440AAEAruba ClearPass New Licensing Onboard 5K Users E-LTUJZ441AAEAruba ClearPass New Licensing Onboard 10K Users E-LTUJZ442AAEAruba ClearPass New Licensing Onboard 25K Users E-LTUJZ443AAEAruba ClearPass New Licensing Onboard 50K Users E-LTUJZ444AAEAruba ClearPass New Licensing Onboard 100K Users E-LTU3Includes 90-day software warranty and can be extended with a support contract.Onboard Licenses – Subscription 1 YearPart NumberDescriptionJZ445AAEAruba ClearPass New Licensing Onboard 100 Users 1yr E-STUJZ446AAEAruba ClearPass New Licensing Onboard 500 Users 1yr E-STUJZ447AAEAruba ClearPass New Licensing Onboard 1K Users 1yr E-STUJZ448AAEAruba ClearPass New Licensing Onboard 2500 Users 1yr E-STUJZ449AAEAruba ClearPass New Licensing Onboard 5K Users 1yr E-STUJZ450AAEAruba ClearPass New Licensing Onboard 10K Users 1yr E-STUJZ451AAEAruba ClearPass New Licensing Onboard 25K Users 1yr E-STUJZ452AAEAruba ClearPass New Licensing Onboard 50K Users 1yr E-STUJZ453AAEAruba ClearPass New Licensing Onboard 100K Users 1yr E-STU

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGEROnboard Licenses – Subscription 3 YearPart NumberDescriptionJZ454AAEAruba ClearPass New Licensing Onboard 100 Users 3yr E-STUJZ455AAEAruba ClearPass New Licensing Onboard 500 Users 3yr E-STUJZ456AAEAruba ClearPass New Licensing Onboard 1K Users 3yr E-STUJZ457AAEAruba ClearPass New Licensing Onboard 2500 Users 3yr E-STUJZ458AAEAruba ClearPass New Licensing Onboard 5K Users 3yr E-STUJZ459AAEAruba ClearPass New Licensing Onboard 10K Users 3yr E-STUJZ460AAEAruba ClearPass New Licensing Onboard 25K Users 3yr E-STUJZ461AAEAruba ClearPass New Licensing Onboard 50K Users 3yr E-STUJZ462AAEAruba ClearPass New Licensing Onboard 100K Users 3yr E-STUOnboard Licenses – Subscription 5 YearPart NumberDescriptionJZ463AAEAruba ClearPass New Licensing Onboard 100 Users 5yr E-STUJZ464AAEAruba ClearPass New Licensing Onboard 500 Users 5yr E-STUJZ465AAEAruba ClearPass New Licensing Onboard 1K Users 5yr E-STUJZ466AAEAruba ClearPass New Licensing Onboard 2500 Users 5yr E-STUJZ467AAEAruba ClearPass New Licensing Onboard 5K Users 5yr E-STUJZ468AAEAruba ClearPass New Licensing Onboard 10K Users 5yr E-STUJZ469AAEAruba ClearPass New Licensing Onboard 25K Users 5yr E-STUJZ470AAEAruba ClearPass New Licensing Onboard 50K Users 5yr E-STUJZ471AAEAruba ClearPass New Licensing Onboard 100K Users 5yr E-STUONGUARD LICENSESClearPass OnGuard leverages persistent and dissolvable agents to perform advanced endpoint posture assessmentsover wireless, wired and VPN connections. OnGuard’s health-check capabilities ensure compliance and network safeguardsbefore devices connect.OnGuard license consumption is based upon a per-endpoint model. For example, if the OnGuard persistent agent is to beinstalled (persistent agent) or used (dissolvable agent) on five endpoints within a 24-hour period, five OnGuard licenses arerequired.OnGuard can only be installed on system that is running in Access mode. It cannot be installed directly on to an appliancewithout Access licenses. OnGuard licenses are available as perpetual or subscription-based licenses from 100 to 100Kconcurrent endpoints. Multiple OnGuard licenses can be installed on a standalone appliance or cluster for increased licensedcapacity, for example 100 100 100 300. Subscription licenses (which include support) are tracked both on licensed capacityand term. If two subscription licenses are installed 6 months apart, the total term will be one and a half years however in thelast 6 months, the licensed capacity will drop to the remaining valid subscription.

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGEROnGuard licenses are available per the following table.OnGuard Licenses – Perpetual3Part NumberDescriptionJZ472AAEAruba ClearPass New Licensing OnGuard 100 Endpoints E-LTUJZ473AAEAruba ClearPass New Licensing OnGuard 500 Endpoints E-LTUJZ474AAEAruba ClearPass New Licensing OnGuard 1K Endpoints E-LTUJZ475AAEAruba ClearPass New Licensing OnGuard 2500 Endpoints E-LTUJZ476AAEAruba ClearPass New Licensing OnGuard 5K Endpoints E-LTUJZ477AAEAruba ClearPass New Licensing OnGuard 10K Endpoints E-LTUJZ478AAEAruba ClearPass New Licensing OnGuard 25K Endpoints E-LTUJZ479AAEAruba ClearPass New Licensing OnGuard 50K Endpoints E-LTUJZ480AAEAruba ClearPass New Licensing OnGuard 100K Endpoints E-LTU3Includes 90-day software warranty and can be extended with a support contract.OnGuard Licenses – Subscription 1 YearPart NumberDescriptionJZ481AAEAruba ClearPass New Licensing OnGuard 100 Endpoints 1yr E-STUJZ482AAEAruba ClearPass New Licensing OnGuard 500 Endpoints 1yr E-STUJZ483AAEAruba ClearPass New Licensing OnGuard 1K Endpoints 1yr E-STUJZ484AAEAruba ClearPass New Licensing OnGuard 2500 Endpoints 1yr E-STUJZ485AAEAruba ClearPass New Licensing OnGuard 5K Endpoints 1yr E-STUJZ486AAEAruba ClearPass New Licensing OnGuard 10K Endpoints 1yr E-STUJZ487AAEAruba ClearPass New Licensing OnGuard 25K Endpoints 1yr E-STUJZ488AAEAruba ClearPass New Licensing OnGuard 50K Endpoints 1yr E-STUJZ489AAEAruba ClearPass New Licensing OnGuard 100K Endpoints 1yr E-STUOnGuard Licenses – Subscription 3 YearPart NumberDescriptionJZ490AAEAruba ClearPass New Licensing OnGuard 100 Endpoints 3yr E-STUJZ491AAEAruba ClearPass New Licensing OnGuard 500 Endpoints 3yr E-STUJZ492AAEAruba ClearPass New Licensing OnGuard 1K Endpoints 3yr E-STUJZ493AAEAruba ClearPass New Licensing OnGuard 2500 Endpoints 3yr E-STUJZ494AAEAruba ClearPass New Licensing OnGuard 5K Endpoints 3yr E-STUJZ495AAEAruba ClearPass New Licensing OnGuard 10K Endpoints 3yr E-STUJZ496AAEAruba ClearPass New Licensing OnGuard 25K Endpoints 3yr E-STUJZ497AAEAruba ClearPass New Licensing OnGuard 50K Endpoints 3yr E-STUJZ498AAEAruba ClearPass New Licensing OnGuard 100K Endpoints 3yr E-STU

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGERSIZING & SCALINGBeginning with ClearPass Policy Manager 6.7, capacity licenses are separated from appliance performance.When creating a bill of materials, the following method should be used:1.Identify the features required.2.Identify the load/performance required.Step 1 – Identify the Features RequiredClearPass Policy Manager licensed features fall into three categories, Entry or Access, Onboard and OnGuard. Depending onthe features required you may use one or all of them in a given environment. Entry licenses (introduced in Policy Manager 6.8) include features for basic NAC use-cases including 802.1X, MACAuthentication, Web Based User Registration and Authentication (captive portal authentication), Multi-FactorAuthentication (MFA), OnConnect and System APIs.oEntry license consumption is based upon concurrent sessions for any authenticated/authorized endpoints.For example, 10 users authenticated would consume 10 licenses. Access licenses (introduced in Policy Manager 6.7) include features for Secure NAC use-cases including 802.1X, MACAuthentication, Web Based User Registration and Authentication (captive portal authentication), Multi-FactorAuthentication (MFA), TACACS , OnConnect, System APIs, 360 Security Exchange (previously ClearPass Exchange),and standard endpoint visibility. oAccess license consumption is based upon concurrent sessions for any authenticated/authorized endpoints.oFor example, 10 users authenticated would consume 10 licenses.The 360 Security Exchange, standard endpoint visiblity and TACACS are enabled with just a minimum of100 Access licenses for unlimited use.Onboard licenses enable automated provisioning including the creation of unique device identity certificates.oOnboard license consumption is based upon the number of users with at least one active certificate each.For example, 5 users with two device certificates each would consume 5 licenses.o Onboard can be installed on top of Entry or Access licenses.OnGuard licenses enable health-check capabilities to ensure endpoint posture compliance and network safeguardsbefore devices connect.oOnGuard license consumption is based upon the number of endpoints it is installed in and consumed for 24hours upon first health check. For example, 5 persistent agents and 5 dissolvable agents perform a healthcheck, 10 licenses are consumed for 24 hours.oOnGuard can only be installed on top of Access licenses.Step 2 – Calculate the Number of Licenses NeededENTRY & ACCESS LICENSESTo better understand how Entry or Access licenses are consumed, consider the following use case: 6,000 endpoints using a mix of username/password and certificate (Corp) based authentication 2,000 IoT endpoints that use MAC address authentication 1,000 guest endpoints that use self-registration or social logins

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGERGiven that all authentication methods are equal, we have 9,000 endpoints in total to consider. However, we are only concernedwith the maximum number of users concurrently authenticated/authorized.If we believe that ALL the endpoints will be concurrently connected to the network, we will need to license for 9,000. However,given the network data available (e.g. DHCP max pool size and lease times, max firewall session usage, etc), we are able todetermine that only 6,000 endpoints are ever concurrently connected to the network and therefore we only need 6,000 Entryor Access licenses.ONBOARD LICENSESTo better understand how Onboard licenses are consumed, consider the following use case: 500 users that can onboard their devices as per the BYOD policy. It is estimated that these 500 users have a total of1,500 devices based upon network usage.We just need 500 Onboard licenses since the user count is all we care about. The 1,500 devices do not matter. Additionally,Onboard licenses are consumed regardless whether the device is connected to the network or not. The license is consumed aslong as there is at least one active certificate associated with a given user.ONGUARD LICENSESTo better understand how OnGuard licenses are consumed, consider the following use case: 2,500 endpoints that have OnGuard installed and connect on a daily basisOnGuard is going to be installed on 2,500 endpoints and these endpoints will be connecting at least once daily, we will need2,500 OnGuard licenses.LICENSE SUMMARYGiven the above examples, we will need the following licenses assuming perpetual licenses: 6,000 Access Licenses: JZ404AAE (Includes 5,000) JZ402AAE (Includes 1,000) 500 Onboard Licenses: JZ437AAE (Includes 500) 2,500 OnGuard Licenses: JZ475AAE (Includes 2,500)

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGERIdentify the load/performance RequiredWhen sizing the appliances, we are concerned with two types of values, burst rate for any given application that will be usedand max concurrency. These values differ depending on the appliance. ClearPass hardware appliances have the followingspecifications.C1000 Appliance( JZ508A)C2000 Appliance( JZ509A)C3000 Appliance( JZ510A)C3010 Appliance(R1V82A)Unicom S-1200 R4HPE DL20 Gen 9HPE DL360 Gen 9HPE DL360 Gen 10(1) Atom 2.40GHz C2758with Eight Cores(8 Threads)(1) Xeon 3.5GHz E31240v5 with Four Cores (8Threads)(2) Xeon 2.4GHz E52620v3 with Six Cores(12 Threads)(1) Xeon 2.3GHz Gold5118 with Twelve Cores(24 Threads)APPLIANCE SPECIFICATIONSHardware ModelCPUMemory8 GB16 GB64 GB64 GB(1) SATA (7.2K RPM)1TB hard drive(2) SATA (7.2K RPM)1TB hard drives, RAID-1controller(6) SAS (10K RPM) 600GBHot-Plug hard drives,RAID-10 controller(6) SAS (10K RPM) 600GBHot-Plug hard drives,RAID-10 controllerN/AHPE Integrated Lights-Out(iLO) Standard withShared NICHPE Integrated Lights-Out(iLO) Advanced withDedicated NICHPE Integrated Lights-Out(iLO) Advanced withDedicated NIC4 x 1Gbe2 x 1Gbe4 x 1Gbe4 x 1GbEYes(RJ-45)Yes(Virtual Serial via iLO)Yes(DB-9)Yes(DB-9)ClearPass Policy Manager6.6ClearPass Policy Manager6.6ClearPass Policy Manager6.6ClearPass Policy Manager6.7Included1U SFF Easy Install Rail1U Cable ManagementArm1U SFF Easy Install Rail1U Cable ManagementArm1U SFF Easy Install Rail1U Cable ManagementArmDimensions (WxHxD)17.2” x 1.7” x 11.3”17.11” x 1.70” x 15.05”17.1” x 1.7” x 27.5”17.1” x 1.7” x 27.8”Weight (Max Config)8.5 LbsUp to 19.18 LbsUp to 33.3 LbsUp to 36 LbsIntegrated 200WLow Noise AC-DCPower SupplyHPE 900W AC 240VDCPower Input FIO Module4HPE 500W Flex SlotPlatinum Hot PlugPower SupplyHPE 500W Flex SlotPlatinum Hot PlugPower SupplyN/AOptionalOptionalOptional100/240 VAC autoselecting100/240 VAC autoselecting100/240 VAC autoselecting100/240 VAC autoselecting50/60 Hz auto-selecting50/60 Hz auto-selecting50/60 Hz auto-selecting50/60 Hz auto-selectingC13 - NEMA 5-15P US/CA110V 10Amp Power CordC13 - NEMA 5-15P US/CA110V 10Amp Power CordC13 - NEMA 5-15P US/CA110V 10Amp Power CordC13 - C14 WW 250V10Amp Jumper CordHard Drive StorageOut of Band ManagementNetwork InterfacesSerial PortMinimum Software VersionForm FactorRackmountPowerPower SupplyPower RedundancyAC Input VoltageAC Input FrequencyPower Cord4The HPE 900W Redundant Power Supply supports100VAC to 240VAC and also supports 240VDC.

SCALING & ORDERING GUIDEARUBA CLEARPASS POLICY MANAGERC1000 Appliance( JZ508A)C2000 Appliance( JZ509A)C3000 Appliance( JZ510A)C3010 Appliance(R1V82A)5º C to 35º C(41º F to 95º F)10 to 35 C(50 to 95 F)10 to 35 C (50 to 95 F)10 to 35 C(50 to 95 F)Operation Vibration0.25 G at 5 Hz to 200 Hzfor 15 minutesRandom vibration at0.000075 G²/Hz,10Hz to 300Hz, (0.15 G’snominal)Random vibration at0.000075 G²/Hz,10Hz to 300Hz, (0.15 G’snominal)Random vibration at0.000075 G²/Hz,10Hz to 300Hz, (0.15 G’snominal)Operation Shock1 shock pulse of 20 G forup to 2.5 ms2 G’s2 G’s2 G’s-16 m to 3,048 m(-50 ft to 10,000 ft)3,050 m (10,000 ft)3,050 m (10,000 ft)3,050 m (10,000 ft)EnvironmentalOperation TemperatureOperating AltitudeVirtual appliances require similar resource specifications to ensure a consistent ClearPass experience regardless of hardware orvirtual appliance. Beginning with ClearPass 6.7, the virtual appliance SKU is a single SKU that can be used for all virtual variantsof virtual appliances. The virtual variant merely adds the letter ‘V’ to the end of the model number.ClearPass Policy Manager is currently supported (as of version 6.8.1) on the following hypervisors and virtual private clouds: VMware vSphere Hypervisor (ESXi) 6.0, 6.5, 6.5 U1, 6.5 U2, 6.7, 6.7 U1, and 6.7 U2 Microsoft Hyper-V Server 2012 R2, Microsoft Hyper-V Server 2016, Microsoft Hyper-V Server 2019, Windows Server2012 R2 with Hyper-V, or Windows Server 2016 with Hyper-V KVM on CentOS 7.5 Amazon Web Services (please refer to the Deploying Policy Manager in AWS for supported instance types)C1000 Virtual ApplianceC2000 Virtual ApplianceC30X0 Virtual Appliance(JZ399AAE)(JZ399AAE)(JZ399AAE)APPLIANCE SPECIFICATIONS24 reserved virtual CPUsCPUMemoryHard Drive StorageMinimum Network InterfacesFunctional IOP rating(40-60 read/write profile for 4Krandom read/write)8 reserved virtual CPUs(Underlying CPU is recommended tohave a PassMark of 3000 or higher)8 GB8 reserved virtual CPUs(Underlying CPU is recommended tohave a PassMark of 9600 or higher)Minimum 8 GB RAMRecommended: 16GB(When the virtual CPUs aredistributed across two physical CPUs,they are recommended to have aPassMark of 9900 or higher.When the virtual CPUs are on asingle physical CPU, it isrecommended to have a PassMark of 16,000 or higher )64 GB1000 GB disk space required(Installation will generate a primaryand backup partition)1000 GB disk space required1800 GB disk space required(Installation will generate a primaryand backup partition)(Installation will generate a primaryand backup partition)2 Gigabit virtual switched ports2 Gigabit virtual switched ports2 Gigabit virtual switched ports75105350

SCALING & ORDERING GUIDEARUBA CLEARPASS

JX922A Aruba ClearPass-Airwave DL360 500W Spare Power Supply (for use with JZ510A) R1T38A Aruba DL360 Gen10 500W Spare PSU (for use with R1V82A) SCALING & ORDERING GUIDE ARUBA CLEARPASS POLICY MANAGER . OnGuard