Security

Reply

Issues after 6.0.2 upgrade

After upgrading my 6.0.1 publisher and subscribers, the subsribers became out of sync and the issue would not resolve itself. I had to drop all subscribers then re-add them.  Has anyone else had this issue? 

 

I started by upgrading the publisher.  Then I upgraded each subscriber and started to notice the sync issue.  Is this the correct procedure for upgrading a cluster?

 

Also, the TACACS service that I setup for CPPM login stopped working after the upgrade.  I can no longer login with my AD credentials; I have to use the local admin account.  AD authentication is working for other services such as .1X; the issue seems to be specifically with TACACS.  Access Tracker has logged the following error: Internal error in performing authentication, when trying to login with AD credentials.  The logon attempt details don't even show that an authentication source is being used.  I've tried creating a new TACACS service for CPPM login, but I get the same error.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Issues after 6.0.2 upgrade

Please reach Tech support.  There could either be a bug, or an error in how you are upgrading...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Issues after 6.0.2 upgrade

I opened up a case in tandem with this topic. TAC has figured out that the issue is with the publisher, but the ticket has been escalated.  I have a conference call with the escalation team and will report back what a solution in case it may be useful to someone in the future.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Occasional Contributor II

Re: Issues after 6.0.2 upgrade

Had the same issue here getting my cluster complete. Changing the cluster password to something without special characters after the upgrade to 6.0.2 did the trick for me.

 

Regards,


Johan

Re: Issues after 6.0.2 upgrade

Cluster Sync Fix

 

Here is the reply from the engineering team:

 

The Root cause for cluster setup failure was some duplicate data in the publisher data post upgrade/migration. There was an enforcement policy "Guest Operator Logins" which conflicted with a policy of the same name that was introduced as default data in 6.0.2.

Workaround:

1) Create a new enforcement policy "AD Guest Operator Logins" with default enforcement profile "[Deny Application Access Profile]". Add the following rule to it "(Authorization:AD Servers:memberOf CONTAINS ClearPass-Admin)" and return the profile "Guest Operator - Super Administrator" to this rule.

2) Edit the "ClearPass Guest Login" service and attach the enforcement policy created above. Save the service.

Adding the subscriber should work after this.

 

TACACS Fix

 

TACACS is now working.  The fix involved deleting an invalid certificate from the Certificate Trust List and restarting all of the CP services:

 

  1. Administration > Certificates > Trust List
  2. Set Filter: Enabled equals Enabled
  3. Delete certificate(s) that are showing invalid.
  4. Login to the CP server via CLI.
  5. Login as app admin.
  6. Type: service restart all

Although this fixed TACACS, our cluster is still not syncing.   I will report back with the fix for that.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: