Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass CLI update

This thread has been viewed 30 times

  • 1.  ClearPass CLI update

    Posted Oct 15, 2014 08:38 AM

    Hello there.

    So here is the situation.

    We have the master .33 and the standby.66

    Somehow, the Master has been updated and not the controller so now the version do not match and the sync stopped.

    I was trying to update the stanbdy to 6.4.1 but every steps I found involve the GUI (to import the .bin update file).

     

    The issue is that we do not have access to the standby GUI anymore. We tried all pasword possible (even the eTIPS123) but it wouldn't connect.

    SSH works fine though.

    So I was wondering what would be the command to import my

    CPPM-x86_64-20140917-clearpass-6.4-updates-1-64-patch.signed.bin

    to  /var/avenda/platform/store/updates/

    so I can run the update through CLI

     

    Or is there an equivalent to the GUI auto update but CLI only ?

     

    Thanks



  • 2.  RE: ClearPass CLI update

    EMPLOYEE
    Posted Oct 15, 2014 08:48 AM

    Easiest way would be to download the upgrade file from the support site, upload it to an internal web server and then use the upgrade command at the cli pointing to the web address.

     

    system upgrade http://hostname/<filepath>

     

     

     



  • 3.  RE: ClearPass CLI update

    Posted Oct 15, 2014 10:13 AM

    Thanks,

    I tried but it gives me Extracting image...
    ERROR - Validating upgrade image failed

    Checksum is good though :(

    The file is

    CPPM-x86_64-20140917-clearpass-6.4-updates-1-64-patch.signed.bin



  • 4.  RE: ClearPass CLI update

    EMPLOYEE
    Posted Oct 15, 2014 10:15 AM
    Try using the update command instead of upgrade.


  • 5.  RE: ClearPass CLI update

    Posted Oct 15, 2014 10:16 AM

    same :(



  • 6.  RE: ClearPass CLI update

    EMPLOYEE
    Posted Oct 15, 2014 10:17 AM

    Hm. It might be faster to open a TAC case at this point.



  • 7.  RE: ClearPass CLI update

    Posted Oct 15, 2014 10:26 AM

    Yes, I also, did , but it takes for ever to get an engineer available :(

     

    But your help is much appreciated



  • 8.  RE: ClearPass CLI update

    EMPLOYEE
    Posted Oct 15, 2014 10:30 AM

    Your other option would be to just reset the database on the subscriber, upgrade it, then rejoin it to the cluster.

     

    You'll want to make sure you have a copy of the server certificate and private key before you do this.

     

     

    cluster reset-database

     



  • 9.  RE: ClearPass CLI update

    EMPLOYEE
    Posted Oct 15, 2014 03:10 PM

    Did you try restarting the services. Is there an error when you restart http service?

     

    Also if you do an upgrade on the cli you need have a secure connection. 

     

    What version are you upgrading from.



  • 10.  RE: ClearPass CLI update
    Best Answer

    Posted Oct 15, 2014 03:26 PM

    Hi ,

    I just finished a conversation with TAC.

    The file was originaly download on the subscriber but because of a DC issue couple days ago the update failed.

    That said the file was still there but couldn't be use for the upgrade as the name wasn't the same than the orginal one.

    TAC used the backdoor to check the current name of the .bin file

    then forced the udpate

    then clear the database completely

    and then re-add as a subscriber (we already dropped it yesterday).

     

    Everything is up and running ,

    TAC confirmed that I had no other choice than talking to them to get the exact file name.

     

    Thank you all.