Security

Reply
MVP
Posts: 485
Registered: ‎04-03-2007

Changing ClearPass IP management address

We needed to move some of our subscribers from an old network to a new network. (In this case, the Publisher was/is on a different network.) Contrary to my belief that changing an IP address should be a trivial thing, it turned out to be a bit of an adventure to figure out exactly what order of events had to happen. I'm sharing that here so no one else struggles as I did. If you have a better way to do this, please reply to help your fellow wifi-er.

 

Failure #1:

We disconnected a subscriber, moved it, and plugged it into a new switchport that had the new network's vlan. Via console/CLI, I issued the "configure ip mgmt..." command, but to my surprise, it wasn't accepted. The reason for this is that it needs to communicate with the Publisher in order change its IP. This creates a catch22, as the old network was not available to the server any longer. We tried removing the subscriber from the publisher, but that got us in a worse state, as the subscriber still thought it was part of the cluster.

 

We ended up physically moving the server back and then had to "drop subscriber" on the subscriber so it became a standalone node. Only then, while on the old network, were we able to rejoin it to the cluster and get back to square 1.

 

Failure #2:

Via the Publisher, we changed the mgmt IP of the subscriber to the new network. We confirmed via console that the subscriber had the new IP on it. However, the Publisher's dashboard via still reflected the old IP. At this point, communication between Publisher and Subscriber was broken, however, since the subscriber's IP had changed.

 

Success:

We moved the server to the port with the new network so it would have IP connectivity. We then issued the "configure ip mgmt..." CLI command, which this time around succeeded, as the subscriber (on the new network) had IP connectivity and could reach the Publisher.

 

 

Summary:

When changing the IP, it's evident that ClearPass first changes the IP and THEN it tries to establish Publisher<->Subscriber communication. IMO, this is backwards, as changing the IP breaks the communication that's required to have each node inform the other of the change.

 

Going forward, when/if we need to change IPs, we will:

  1. Console/CLI to the subscriber and issue the "configure ip mgmt..." command. The IP will change but communication to the Publisher will fail. An error will be displayed
  2. (If applicable, shutdown and move server / recable as necessary)
  3. Verify IP connectivity on new IP/network
  4. Re-issue the "configure ip mgmt..." command, which should succeed so long as the Subscriber can communicate to the Publisher on the new IP/network.

 

I hope this helps someone!

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
MVP
Posts: 739
Registered: ‎04-13-2009

Re: Changing ClearPass IP management address

[ Edited ]

Ouch, sounds like a bit of a pain.

 

Can't you just run drop subcriber, change the IP of the dropped sub, move to new location, run make subscriber, profit?

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 485
Registered: ‎04-03-2007

Re: Changing ClearPass IP management address

Probably, but what you outlined is 4 steps vs the 3 I outlined (if you exclude "verify" as a step). IMO, dropping/adding subscribers is a longer wait than running the IP reconfig a couple times.

 

In any case, probably multiple ways to do it, but changing an IP address isn't supposed to be so difficult. I figured I'd help others out with this post.

 

We will have to do this to the publisher, too, and for that, I anticipate having to first promote a subscriber as a temporary publisher before executing the same process, followed by repromoting the old publisher.

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
Showing results for 
Search instead for 
Did you mean: