Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-04 Thread Cappalli, Tim (Aruba Security) 
Hector,

Something definitely seems amiss then. I’ll take a look at the case.

A maximum of 1 access license is consumed per MAC address, regardless of 
multiple sessions or lack of accounting stop.

Thanks for the followup.
tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hector J Rios <hr...@lsu.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Wednesday, April 4, 2018 at 12:49 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Update on my previous statement. We talked to Aruba and they saw our licensing 
count. It appears that the higher numbers we are seeing might be due to a bug. 
We do have accounting enabled everywhere. So not sure exactly what else could 
be causing this. We’ll be working with TAC and hopefully get this resolved. Our 
license count today showed 102K. We are only licensed for 75K and in the past 
we never exceeded 60K.

Hector


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Wednesday, April 04, 2018 10:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

You should look into pfSense.  It is extremely powerful and open source.  You 
can pay for commercial support.

Ryan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Lee H Badman
Sent: Tuesday, April 3, 2018 8:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

This is a hot-button topic for me. The whole guest access thing has gotten 
ridiculously complex in the main players trying to funnel this through a 
behemoth NAC (same could be said for simple RADIUS) or through some other 
convoluted framework. Bluesocket (now Adtran) had a good thing going with a 
gateway that was simple to set up and use on any vendor’s WLAN. They too 
evolved into something chunky and complex. I’d love to see Adtran dust off the 
old code, make it just a wee bit updated on browser friendliness, and 
re-productize it as a cost-effective 3rd party guest solution. The rest of the 
industry has blown it in this regard, says I.

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Trinklein, Jason R
Sent: Monday, April 02, 2018 5:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solut

RE: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-04 Thread Hector J Rios 
Update on my previous statement. We talked to Aruba and they saw our licensing 
count. It appears that the higher numbers we are seeing might be due to a bug. 
We do have accounting enabled everywhere. So not sure exactly what else could 
be causing this. We’ll be working with TAC and hopefully get this resolved. Our 
license count today showed 102K. We are only licensed for 75K and in the past 
we never exceeded 60K.

Hector


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Wednesday, April 04, 2018 10:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

You should look into pfSense.  It is extremely powerful and open source.  You 
can pay for commercial support.

Ryan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Lee H Badman
Sent: Tuesday, April 3, 2018 8:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

This is a hot-button topic for me. The whole guest access thing has gotten 
ridiculously complex in the main players trying to funnel this through a 
behemoth NAC (same could be said for simple RADIUS) or through some other 
convoluted framework. Bluesocket (now Adtran) had a good thing going with a 
gateway that was simple to set up and use on any vendor’s WLAN. They too 
evolved into something chunky and complex. I’d love to see Adtran dust off the 
old code, make it just a wee bit updated on browser friendliness, and 
re-productize it as a cost-effective 3rd party guest solution. The rest of the 
industry has blown it in this regard, says I.

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Trinklein, Jason R
Sent: Monday, April 02, 2018 5:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost. Ask your rep how much 
a 25K server costs and you’ll see what I’m talking about.

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7C%7C416aa0adcd3740e218df08d598dffc6e%7Ce285d438dbba4a4c941c593ba422deac%7C0%7C0%7C636583010131355986=L2hgyGRxLEshPCcPVnAxQCrmoaMp%2FlC8Nq8V0B8IdaM%3D=0>.
**

RE: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-04 Thread Turner, Ryan H 
You should look into pfSense.  It is extremely powerful and open source.  You 
can pay for commercial support.

Ryan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Lee H Badman
Sent: Tuesday, April 3, 2018 8:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

This is a hot-button topic for me. The whole guest access thing has gotten 
ridiculously complex in the main players trying to funnel this through a 
behemoth NAC (same could be said for simple RADIUS) or through some other 
convoluted framework. Bluesocket (now Adtran) had a good thing going with a 
gateway that was simple to set up and use on any vendor’s WLAN. They too 
evolved into something chunky and complex. I’d love to see Adtran dust off the 
old code, make it just a wee bit updated on browser friendliness, and 
re-productize it as a cost-effective 3rd party guest solution. The rest of the 
industry has blown it in this regard, says I.

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Trinklein, Jason R
Sent: Monday, April 02, 2018 5:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost. Ask your rep how much 
a 25K server costs and you’ll see what I’m talking about.

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7C%7C416aa0adcd3740e218df08d598dffc6e%7Ce285d438dbba4a4c941c593ba422deac%7C0%7C0%7C636583010131355986=L2hgyGRxLEshPCcPVnAxQCrmoaMp%2FlC8Nq8V0B8IdaM%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-03 Thread Cappalli, Tim (Aruba Security) 
The UI lockout mechanism was removed in 6.7. Instead a warning will be 
displayed in the web user interface as well as over syslog and SNMP when you 
exceed licensing.

We’ve really tried to make the new licensing as flexible as possible for our 
customers.

This is a good reference > ClearPass 6.7 Scaling & Ordering 
Guide<https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=29193>

tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hector J Rios <hr...@lsu.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, April 3, 2018 at 11:10 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Authentication might not stop, but what about access to the UI or the ability 
to make config changes?

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Tuesday, April 03, 2018 9:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Hector,

During a roam event where a new session is created, a stop should also be 
generated by the NAD, so this should be a non-issue.

Also, as of 6.7.2, TACACS+ does not directly consume any access licenses (as 
long as you have at least 100 access licenses installed, TACACS+ usage is 
unlimited).

I should also add that all licensing ‘violations’ in ClearPass are UI / trap 
warning only. Authentication will never stop.

Tim


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, April 3, 2018 at 10:02 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Ian,

6.7 introduced a new licensing scheme which is based on concurrent users, and 
it encompasses both guests, mac-auth, TACACS, etc. This means that each user or 
device will consume an Access License during an active session. This is the 
Access license. The part that really sucks is the way sessions are treated. 
Basically, if a session end is not identified, the license that is being used 
is not freed until after a period of 24 hours. In wireless environments, it is 
normal for devices to roam, turn off and on continuously, and thus establish 
multiple sessions. So, for every device that authenticates to your network, it 
will be very likely that you will see multiple active sessions, thus consuming 
more licenses than you would have planned for.

All of these new “features” were not part of the previous licensing scheme.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian Lyons
Sent: Monday, April 02, 2018 5:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Jason
That price *was* real, many years ago.
I got a pair of 5000 user licenses for ~15k, last year.
Word of caution, I have seen some vendors that say they sell Cisco and Aruba 
products "forget' discounting on Aruba.
Shop around, that is not necessarily accurate.
Having said that, quantity of users and features where not mentioned.  50k or 
more users and all the features enabled.I can not speak to that.
Hector
I have had clearpass, on and off, for 6 years...it has always been concurrent 
usersyes to a rolling average, but not an immediate cut off if you exceed 
once or twice.
Can you elaborate?
Get Outlook for Android<https://aka.ms/ghei36>



From: Trinklein, Jason R
Sent: Monday, April 2, 17:48
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore
To: 
wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>


We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trin

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-03 Thread Matt Freitag 
We moved away from this in favor of all network auth going to ClearPass,
but we used to use Captivator-gw with moderate success in a small section
of our network:
http://net.doit.wisc.edu/~dwcarder/captivator/

Matt Freitag
Network Engineer
Information Technology
Michigan Technological University
(906) 487-3696 <%28906%29%20487-3696>
https://www.mtu.edu/
https://www.mtu.edu/it

On Tue, Apr 3, 2018 at 11:09 AM, Hector J Rios <hr...@lsu.edu> wrote:

> Authentication might not stop, but what about access to the UI or the
> ability to make config changes?
>
>
>
> -H
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Cappalli, Tim (Aruba
> Security)
> *Sent:* Tuesday, April 03, 2018 9:43 AM
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] ClearPass - not so clear anymore
>
>
>
> Hector,
>
>
>
> During a roam event where a new session is created, a stop should also be
> generated by the NAD, so this should be a non-issue.
>
>
>
> Also, as of 6.7.2, TACACS+ does not directly consume any access licenses
> (as long as you have at least 100 access licenses installed, TACACS+ usage
> is unlimited).
>
>
>
> I should also add that all licensing ‘violations’ in ClearPass are UI /
> trap warning only. Authentication will never stop.
>
>
>
> Tim
>
>
>
>
>
> *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hector J Rios <
> hr...@lsu.edu>
> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Tuesday, April 3, 2018 at 10:02 AM
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.
> EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] ClearPass - not so clear anymore
>
>
>
> Ian,
>
>
>
> 6.7 introduced a new licensing scheme which is based on concurrent users,
> and it encompasses both guests, mac-auth, TACACS, etc. This means that each
> user or device will consume an Access License during an active session.
> This is the Access license. The part that really sucks is the way sessions
> are treated. Basically, if a session end is not identified, the license
> that is being used is not freed until after a period of 24 hours. In
> wireless environments, it is normal for devices to roam, turn off and on
> continuously, and thus establish multiple sessions. So, for every device
> that authenticates to your network, it will be very likely that you will
> see multiple active sessions, thus consuming more licenses than you would
> have planned for.
>
>
>
> All of these new “features” were not part of the previous licensing
> scheme.
>
>
>
> Hector Rios
>
> Louisiana State University
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Ian Lyons
> *Sent:* Monday, April 02, 2018 5:10 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] ClearPass - not so clear anymore
>
>
>
> Jason
>
> That price *was* real, many years ago.
>
> I got a pair of 5000 user licenses for ~15k, last year.
>
> Word of caution, I have seen some vendors that say they sell Cisco and
> Aruba products "forget' discounting on Aruba.
>
> Shop around, that is not necessarily accurate.
>
> Having said that, quantity of users and features where not mentioned.  50k
> or more users and all the features enabled.I can not speak to that.
>
> Hector
>
> I have had clearpass, on and off, for 6 years...it has always been
> concurrent usersyes to a rolling average, but not an immediate cut off
> if you exceed once or twice.
>
> Can you elaborate?
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
>
>
> From: Trinklein, Jason R
>
> Sent: Monday, April 2, 17:48
>
> Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore
>
> To: wireless-lan@listserv.educause.edu
>
> We are considering clearpass for our guest network captive portal. We have
> a case of sticker shock, however…at a cost of nearly $50K, it seems
> expensive for a captive portal.
>
>
>
> What alternative solutions are people using? We are very happy with
> FreeRADIUS for wireless auth, but we need a robust captive portal that
> allows OAuth/social media login or validated email/sms login. We tried
> packetfence, but in cluster mode, it wasn’t reliable.
>
>
>
> --
>
> *Jason Trinklein*
>
> *Wireless Engineer

RE: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-03 Thread Hector J Rios 
Authentication might not stop, but what about access to the UI or the ability 
to make config changes?

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Tuesday, April 03, 2018 9:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Hector,

During a roam event where a new session is created, a stop should also be 
generated by the NAD, so this should be a non-issue.

Also, as of 6.7.2, TACACS+ does not directly consume any access licenses (as 
long as you have at least 100 access licenses installed, TACACS+ usage is 
unlimited).

I should also add that all licensing ‘violations’ in ClearPass are UI / trap 
warning only. Authentication will never stop.

Tim


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, April 3, 2018 at 10:02 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Ian,

6.7 introduced a new licensing scheme which is based on concurrent users, and 
it encompasses both guests, mac-auth, TACACS, etc. This means that each user or 
device will consume an Access License during an active session. This is the 
Access license. The part that really sucks is the way sessions are treated. 
Basically, if a session end is not identified, the license that is being used 
is not freed until after a period of 24 hours. In wireless environments, it is 
normal for devices to roam, turn off and on continuously, and thus establish 
multiple sessions. So, for every device that authenticates to your network, it 
will be very likely that you will see multiple active sessions, thus consuming 
more licenses than you would have planned for.

All of these new “features” were not part of the previous licensing scheme.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian Lyons
Sent: Monday, April 02, 2018 5:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Jason
That price *was* real, many years ago.
I got a pair of 5000 user licenses for ~15k, last year.
Word of caution, I have seen some vendors that say they sell Cisco and Aruba 
products "forget' discounting on Aruba.
Shop around, that is not necessarily accurate.
Having said that, quantity of users and features where not mentioned.  50k or 
more users and all the features enabled.I can not speak to that.
Hector
I have had clearpass, on and off, for 6 years...it has always been concurrent 
usersyes to a rolling average, but not an immediate cut off if you exceed 
once or twice.
Can you elaborate?
Get Outlook for Android<https://aka.ms/ghei36>


From: Trinklein, Jason R
Sent: Monday, April 2, 17:48
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore
To: 
wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>

We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with e

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-03 Thread Trinklein, Jason R 
Max,

We set up our cluster with 7.3 and 7.4 (at different times). We found that 
database replication has failed itself often and unexpectedly, and getting them 
to rejoin each other was a herculean task and often unclear…we haven’t tried 
the active/standby, though. With active/standby, do you need to manually 
re-create your portal settings on each instance?

What features in 8.0 are you waiting for?

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Max McGrath 
<mmcgr...@carthage.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Monday, April 2, 2018 at 10:48 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Jason -

I'm curious what version of PacketFence you were running?  Also, if you worked 
with Inverse, Inc. to set it up or if you set it up yourself?  If you follow 
the development of PF, you'll know the clustering dramatically improves with 
every major release.  Also, Inverse, Inc. offers phenomenal support and know 
the software inside and out (no surprise there as they are the developers!).

I only ask because we've been running PacketFence for our 802.1x and guest 
networks (and wired network) for 5+ years without any major issues.  We run in 
active/standby mode -- not cluster mode -- but do plan on moving to cluster 
mode after 8.0 is released as it has a major clustering feature we've been 
waiting on.

Max

--
Max McGrath 
[https://static.licdn.com/scds/common/u/img/webpromo/btn_profile_greytxt_80x15.png]
 
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fmax-mcgrath-a299124b=02%7C01%7C%7Ce65d5a489984418e7c8108d5990d545f%7Ce285d438dbba4a4c941c593ba422deac%7C0%7C0%7C636583204899113348=sUNQfFOW0X7T2M7nwRj3HzyGCRFxPLm1X7ajygrZlu4%3D=0>
Infrastructure and Security Manager
Carthage College
262-551-<tel:(262)%20551->
mmcgr...@carthage.edu<mailto:mmcgr...@carthage.edu>

On Mon, Apr 2, 2018 at 4:47 PM, Trinklein, Jason R 
<trinkle...@cofc.edu<mailto:trinkle...@cofc.edu>> wrote:
We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 
29403<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2F%3Fq%3D81%2BSt.%2BPhilip%2BStreet%2B%257C%2BOffice%2B311D%2B%257C%2BCharleston%2C%2BSC%2B29403%26entry%3Dgmail%26source%3Dg=02%7C01%7C%7Ce65d5a489984418e7c8108d5990d545f%7Ce285d438dbba4a4c941c593ba422deac%7C0%7C0%7C636583204899113348=amZx6YmC62mMGrgWISy0xlwc78j8bYfRwWs6VKKDmQw%3D=0>
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 
300–8009<tel:(843)%20300-8009>
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost. Ask your rep how much 
a 25K server costs and you’ll see what I’m talking about.

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-03 Thread Cappalli, Tim (Aruba Security) 
Hector,

During a roam event where a new session is created, a stop should also be 
generated by the NAD, so this should be a non-issue.

Also, as of 6.7.2, TACACS+ does not directly consume any access licenses (as 
long as you have at least 100 access licenses installed, TACACS+ usage is 
unlimited).

I should also add that all licensing ‘violations’ in ClearPass are UI / trap 
warning only. Authentication will never stop.

Tim


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hector J Rios <hr...@lsu.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, April 3, 2018 at 10:02 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Ian,

6.7 introduced a new licensing scheme which is based on concurrent users, and 
it encompasses both guests, mac-auth, TACACS, etc. This means that each user or 
device will consume an Access License during an active session. This is the 
Access license. The part that really sucks is the way sessions are treated. 
Basically, if a session end is not identified, the license that is being used 
is not freed until after a period of 24 hours. In wireless environments, it is 
normal for devices to roam, turn off and on continuously, and thus establish 
multiple sessions. So, for every device that authenticates to your network, it 
will be very likely that you will see multiple active sessions, thus consuming 
more licenses than you would have planned for.

All of these new “features” were not part of the previous licensing scheme.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian Lyons
Sent: Monday, April 02, 2018 5:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Jason
That price *was* real, many years ago.
I got a pair of 5000 user licenses for ~15k, last year.
Word of caution, I have seen some vendors that say they sell Cisco and Aruba 
products "forget' discounting on Aruba.
Shop around, that is not necessarily accurate.
Having said that, quantity of users and features where not mentioned.  50k or 
more users and all the features enabled.I can not speak to that.
Hector
I have had clearpass, on and off, for 6 years...it has always been concurrent 
usersyes to a rolling average, but not an immediate cut off if you exceed 
once or twice.
Can you elaborate?
Get Outlook for Android<https://aka.ms/ghei36>



From: Trinklein, Jason R
Sent: Monday, April 2, 17:48
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore
To: 
wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>


We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost. Ask your rep how much 
a 25K server costs and you’ll see what I’m talking about.

Hector Rios
Louisiana State University
***

RE: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-03 Thread Hector J Rios 
Ian,

6.7 introduced a new licensing scheme which is based on concurrent users, and 
it encompasses both guests, mac-auth, TACACS, etc. This means that each user or 
device will consume an Access License during an active session. This is the 
Access license. The part that really sucks is the way sessions are treated. 
Basically, if a session end is not identified, the license that is being used 
is not freed until after a period of 24 hours. In wireless environments, it is 
normal for devices to roam, turn off and on continuously, and thus establish 
multiple sessions. So, for every device that authenticates to your network, it 
will be very likely that you will see multiple active sessions, thus consuming 
more licenses than you would have planned for.

All of these new "features" were not part of the previous licensing scheme.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian Lyons
Sent: Monday, April 02, 2018 5:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Jason
That price *was* real, many years ago.
I got a pair of 5000 user licenses for ~15k, last year.
Word of caution, I have seen some vendors that say they sell Cisco and Aruba 
products "forget' discounting on Aruba.
Shop around, that is not necessarily accurate.
Having said that, quantity of users and features where not mentioned.  50k or 
more users and all the features enabled.I can not speak to that.
Hector
I have had clearpass, on and off, for 6 years...it has always been concurrent 
usersyes to a rolling average, but not an immediate cut off if you exceed 
once or twice.
Can you elaborate?
Get Outlook for Android<https://aka.ms/ghei36>


From: Trinklein, Jason R
Sent: Monday, April 2, 17:48
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore
To: 
wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>

We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however...at a cost of nearly $50K, it seems expensive 
for a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn't reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300-8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I've got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost. Ask your rep how much 
a 25K server costs and you'll see what I'm talking about.

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7C%7C416aa0adcd3740e218df08d598dffc6e%7Ce285d438dbba4a4c941c593ba422deac%7C0%7C0%7C636583010131355986=L2hgyGRxLEshPCcPVnAxQCrmoaMp%2FlC8Nq8V0B8IdaM%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-03 Thread Julian Y Koh 
> On Apr 2, 2018, at 16:47, Trinklein, Jason R  wrote:
> 
> We are considering clearpass for our guest network captive portal. We have a 
> case of sticker shock, however…at a cost of nearly $50K, it seems expensive 
> for a captive portal.

As others have said, talk to your account rep - there may be ways to reduce the 
pricing.  

ClearPass is expensive, especially if you’re getting it just for a single 
function.  The value IMO comes about when you are able to leverage multiple 
capabilities, since again purely IMO Aruba has done a pretty good job of 
integrating disparate/acquired products into a cohesive whole.  



-- 
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
PGP Public Key: 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-03 Thread Lee H Badman 
This is a hot-button topic for me. The whole guest access thing has gotten 
ridiculously complex in the main players trying to funnel this through a 
behemoth NAC (same could be said for simple RADIUS) or through some other 
convoluted framework. Bluesocket (now Adtran) had a good thing going with a 
gateway that was simple to set up and use on any vendor’s WLAN. They too 
evolved into something chunky and complex. I’d love to see Adtran dust off the 
old code, make it just a wee bit updated on browser friendliness, and 
re-productize it as a cost-effective 3rd party guest solution. The rest of the 
industry has blown it in this regard, says I.

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Trinklein, Jason R
Sent: Monday, April 02, 2018 5:48 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost. Ask your rep how much 
a 25K server costs and you’ll see what I’m talking about.

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7C%7C416aa0adcd3740e218df08d598dffc6e%7Ce285d438dbba4a4c941c593ba422deac%7C0%7C0%7C636583010131355986=L2hgyGRxLEshPCcPVnAxQCrmoaMp%2FlC8Nq8V0B8IdaM%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-02 Thread Max McGrath 
Jason -

I'm curious what version of PacketFence you were running?  Also, if you
worked with Inverse, Inc. to set it up or if you set it up yourself?  If
you follow the development of PF, you'll know the clustering dramatically
improves with every major release.  Also, Inverse, Inc. offers phenomenal
support and know the software inside and out (no surprise there as they are
the developers!).

I only ask because we've been running PacketFence for our 802.1x and guest
networks (and wired network) for 5+ years without any major issues.  We run
in active/standby mode -- not cluster mode -- but do plan on moving to
cluster mode after 8.0 is released as it has a major clustering feature
we've been waiting on.

Max

--
Max McGrath  
Infrastructure and Security Manager
Carthage College
262-551- <(262)%20551->
mmcgr...@carthage.edu

On Mon, Apr 2, 2018 at 4:47 PM, Trinklein, Jason R 
wrote:

> We are considering clearpass for our guest network captive portal. We have
> a case of sticker shock, however…at a cost of nearly $50K, it seems
> expensive for a captive portal.
>
>
>
> What alternative solutions are people using? We are very happy with
> FreeRADIUS for wireless auth, but we need a robust captive portal that
> allows OAuth/social media login or validated email/sms login. We tried
> packetfence, but in cluster mode, it wasn’t reliable.
>
>
>
> --
>
> *Jason Trinklein*
>
> *Wireless Engineering Manager*
>
> College of Charleston
>
> 81 St. Philip Street | Office 311D | Charleston, SC 29403
> 
>
> trinkle...@cofc.edu | (843) 300–8009 <(843)%20300-8009>
>
> *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hector J Rios <
> hr...@lsu.edu>
> *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Monday, April 2, 2018 at 5:23 PM
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU"  E.EDU>
> *Subject: *[WIRELESS-LAN] ClearPass - not so clear anymore
>
>
>
> I’ve got two complaints about this product. One, it seems like with every
> patch or upgrade, this solution is getting worse and worse. This is
> disappointing because when we bought this solution two years ago it was
> rock solid. Second, due to the new licensing scheme, we are now exceeding
> our licensing capacity. How convenient for Aruba, right? As some of you
> might know, the new licensing scheme is based on concurrency. When we
> purchased the solution the licensing scheme was based on rolling averages.
> Yes, the new licensing scheme is attempting to make things simpler, but at
> a higher cost. Ask your rep how much a 25K server costs and you’ll see what
> I’m talking about.
>
>
>
> Hector Rios
>
> Louisiana State University
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss
> .
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-02 Thread Rumford, Charles 
We are using PacketFence (in non-clustered mode) in a VM for handling out guest 
and device networks. I've been really happy with it, and the support from 
inverse is pretty awesome.

Our 802.1x network is powered by FreeRADIUS 3 with a Kerberos backend.

We have a in house built system that manages the MAC address registration and 
the MAC address blacklisting. It pushes the registrations down to the 
PacketFence server via API call, and the radius server pulls the blacklist via 
an API call on regular intervals. The captive portal for the black listed 
devices is also powered by PacketFence.

Sent from Nine<http://www.9folders.com/>

From: Ian Lyons <ily...@rollins.edu>
Sent: Monday, April 2, 2018 18:10
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Jason
That price *was* real, many years ago.
I got a pair of 5000 user licenses for ~15k, last year.

Word of caution, I have seen some vendors that say they sell Cisco and Aruba 
products "forget' discounting on Aruba.

Shop around, that is not necessarily accurate.

Having said that, quantity of users and features where not mentioned.  50k or 
more users and all the features enabled.I can not speak to that.

Hector

I have had clearpass, on and off, for 6 years...it has always been concurrent 
usersyes to a rolling average, but not an immediate cut off if you exceed 
once or twice.

Can you elaborate?

Get Outlook for Android<https://aka.ms/ghei36>



From: Trinklein, Jason R
Sent: Monday, April 2, 17:48
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore
To: wireless-lan@listserv.educause.edu


We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hector J Rios <hr...@lsu.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Monday, April 2, 2018 at 5:23 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost. Ask your rep how much 
a 25K server costs and you’ll see what I’m talking about.

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7C%7C416aa0adcd3740e218df08d598dffc6e%7Ce285d438dbba4a4c941c593ba422deac%7C0%7C0%7C636583010131355986=L2hgyGRxLEshPCcPVnAxQCrmoaMp%2FlC8Nq8V0B8IdaM%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

2018-04-02 Thread Trinklein, Jason R 
We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Hector J Rios 
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Monday, April 2, 2018 at 5:23 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost. Ask your rep how much 
a 25K server costs and you’ll see what I’m talking about.

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.