Security

!!!!!!!!! PLEASE READ THE RELEASE NOTES !!!!!!!!!!!!

I ask that everyone make sure you make backups of your data and certs before you proceed......



Hello all

ClearPass 6.3.0 is now available. Please review the attached release notes, Chapter -3 - ‘Whats New in This Release’ section for information on new features and enhancements in this release.

Upgrade instructions:

Please review Chapter 2 of the release notes for upgrade support for your current ClearPass versions.
Upgrade images are available within ClearPass Policy Manager from the Software Updates Portal at,
> Administration >Agents and Software Updates > Software updates.
For ClearPass appliances which do not have access to the Internet, the upgrade image is available on the Aruba Networks support site at,
> Downloads > ClearPass > Policy Manager > Current Release > Upgrade
Evaluation and production VM images are in the process of being uploaded to the support site and the ClearPass web service. We are working with IT to post them. They should be available within the next 24 hours here:
> Downloads > ClearPass > Policy Manager > Current Release

VM Upgrades to 6.3.0:

If you are installing a fresh ClearPass 6.3 VM, then please review the hard disk requirements in the VM install document (attached) as they have changed in this release.
If you are upgrading to 6.3 from prior releases, then you have to attach a larger disk. Please review the disk requirements in the VM install document for different VM models.
After upgrading to ClearPass 6.3, an additional hard disk is no longer required to upgrade to future versions. During the upgrade process, a second partition equal to the size of the original is automatically created on the attached larger disk. The second partition will be used for all future upgrades.

I Love new versions :)

GOOD TIP!

The Event Viewer now includes events related to the RAID controller state. Note that this feature is
only available for CP-HW-5K and CP-HW-25K SKUs. (#14706)

 

Awesome!  Been needing something like this since DRAC isn't available on the physical appliances.  I assume all RAID related events such as bad disks and degraded RAID will be recorded in event viewer?  Will be upgrading and setting up email alerts soon if that's the case!

 

Usernames are now case-insensitive. (#15809)

 

Where does this apply?  All RADIUS authentications?

 

An advanced option in the domain joining interface can provide explicit domain controller information
to Samba, assisting the user to control what domain controllers CPPM will use for authentications.
(#14738)

 

Another good one!

 

Added the ability to send a warning email before a user’s Onboard device credentials expire. This is
configured at Onboard > Provisioning Settings > General tab > Actions > Notify users before
their credentials expire. (#12625)

 

This is a step in the right direction.  Is the user able to do anything from the email they receive? Does it provide a link to re-onboard them or renew their certificate, or is it just informational?

 

 

Overall, this is a great upgrade!  I'm a little disappointed to see that some of the (good) features I've suggested haven't made it in yet:

 

In Access Tracker - Note which enforcement rule resulted in accept/reject

 

Multiple IPs for Network Devices

thecompnerd,

 

For your first feature request, is this what you are looking for?

 

 

cappalli,

 

I'd like to see the Enforcement Policy conditions that were matched.  This would just speed up troubleshooting when an authentication doesn't get the expected enforcement profile and you need to determine which conditions were matched.

iDRAC enterprise is currently available on the CP-HW-25K that we started shipping last April (DELL R620). Previous to that it was the Express version the same version we ship on the 5K-HW (DELL R210)....you can expect the next version of the 5K h/w to include enterprise iDRAC as well.

 

There is a lenghty IDRAC + CPPM TechNote I did about Sept last year....get your friendly CPPm specialist/SE to share a copy with you.

 

 

Username - Guest usernames are now handles as case insensitive...

 

After upgrade / restore ‘user’ will work, ‘User’ is renamed ‘User-disabled

 

 

Double the disk space required?!

This still is the space of 1 disc? Or did you just double it to indicate the 2nd disk required for upgrading?

 

What the heck are you doing with all that disk space?

Is there an easy way to see how much is realy in use?

In the initial vm for example

VM500

1 250 for running
1 250 for upgrade

Now you will only need 1 500

This is one of the foundations for Hyper -v support.

Anyone else seeing this EncryptFS error on a fresh install of 6.3?

I'm not a linux or vmware guy. Am I missing something?

 

vmware ESX 5.1

 

UPDATE 1: Enabled Intel AES-NI in the BIOS, but still getting the errors below it.

UPDATE 2: Creating the second disk manually seems to bypass this error.

 

These messages are harmless and can be ignored. They do appear in some of the older versions too. We will be suppressing them in a subsequent release.

ok, so not double the capacity, just consolidate all on 1 disk.

 

From the vm install guide:

"

If you have two disks already loaded with previous ClearPass versions—6.1 on SCSI 0:1 and 6.2 on SCSI
0:2—you should drop the SCSI 0:1 before upgrading. You must then add a newer disk, which will
automatically get the SCSI 0:1 slot with a larger capacity for 6.3."

 

So how do I know which disk ClearPass is using so I can remove the other and replace it by a bigger one?

And what if the result is my current version is running on 0:1, can I then savely drop  0:2 and use its replacement?

 

 

Figuring out which disk is active v inactive, the best way is to use the vSphere/vCenter tools...in vSphere.....

 

 

Hope this helps.

Thanks dannyjump.

 

You are confirming here that it is no problem ending up with only disk 2 (scsi 0:2) right?

Correct.....it would be acceptable to have 

 

SCSI 0:0   &   SCSI 0:1

 

or

 

SCSI 0:0   &   SCSI 0:2

What happens if you do upgrade and don't upgrade the disks?  I upgraded mine fine keeping the 250GB disks, it complained but then it booted ok.

If you don't remove and upgrade the disk then you will have HALF the previous disk space for your new CPPM 6.3.0 system now you had under CPPM 6.2.0.

 

What ever disk we install on we will format and create TWO equal sized partitions on that physical (actually virtual - but you guys know what I mean) disk....

 

We will install 6.3.0 on one of them and then in the future 6.3.1 say on the other.....say this is 0:2 and your happy you can remove the 0:1 disk (say this was a 6.2.4 system) and reclaim this disk space.....now when you come to install 6.3.1 in say July you will not have to add any more disk like we have to in the past as we (CPPM) has all this disk it needs now....this is why you removed the disk, doubled its size and added it back......we think this will make life easier going forward....we (CPPM) will manage the disk partitions.

Thank you for all the upgrade notes - they helped a lot. One question regarding disk space, though - since now we are dividing the disk into two partitions and one of the partitions is not being used, how should I interpret the recommended disk space given in the installation note? For example, for the CP-VA-500 edition, the note recommends 500GB of disk space. Does this mean that I am o.k. using a 500 GB drive that it will then divide into two 250GB partitions (and only really use one of them), or do I need to use a 1TB drive since Clearpass will then really use only one of the 500GB partitions?

The disk space mentioned in the 6.3 notes is indeed for both partitions.

You do not create those partitions yourself by the way.

Gotcha - that's the way I read it, but figured I would double-check. Thanks!

I hate to beat a dead horse but just double checking on one aspect of the upgrade relating to the hard drive size.  I have a 5k with an existing 500G of disk space attached to the VM (and only 9G is in use so far).  Per the notes, I need to add another 500G of disk space and that will be used by the upgrade process by it partioning it into two 250G partitions and will use one for the 6.3 software and leaves the other partion for a future upgrade.

 

Separate question - we have two 5k's and one 500. The software subscription link was used to "download" the software. I believe it's stored somewhere on the publisher.  Once I upgrade the publisher, how do I go about upgrading the subscribers?

 

 

Thanks

To answer your two questions......

 

Re the second disk, your correct, attach the second disk and we will partition that disk 'under-the-covers' in to two separate partitions, one used as the live, running partition and the other will be used going forward to upgrade say to 6.4. You can then remove the disk currently in use and you'll never have to add a disk going forward as we have the two partitions which we will handle from inside CPPM.

 

Re the upgrade, you have to separately upgrade the subscribers, its  a manual process for each node.

Fair warning to those who use  the Onguard Web agent.  It has changed and is now intergrated into Guest.  

Well I upgraded to 6.3 and it seemed ok but couldn't log into the gui (said bad username/password).  We did a password reset to defaults and got in fine but then found the system was at a default install state.  No db, profiles, roles, policies.  Backed out to 6.2.5 while support looks at the logs etc.   Anyone else have upgrade issues with 6.3?

The only time I have seen that is if you enabled FIPS. It will do a factory reset on the db

I had one system that lost its domain trust relationship after the upgrade - I removed ClearPass from the domain and re-joined the domain, and then the trust relationship was re-established.

Hey, I saw this update download on my appliances last week (a pair of CP-HW-5K) and was planning on upgrading today.  Now it's not listed under "Firmware and Patch updates"... I'm certain it was there last week.  What happened?  I don't want to have to manually download again, it takes hours on this connection.

issues with the downloadserver due to very high volume I'm told.

They (Aruba) are working on it but till then you can download it (manualy) from the support site.

Yeah, but it already downloaded.  I saw it download last week, and it was listed under the firmware updates on my appliance, with the "Install" button all ready to go.  Now it's gone?  

Koenv is correct, the downloads was removed from the update page in CPPM so you will need to re-download, Import and run the upgrade instead.

 

We experienced the exact same situation. We're stunned that Aruba was able to delete files from our ClearPass server without our permission. So much for using it in a PCI or FIPS environment. We're definitley looking at other vendor options.

 

Fred

The download was not removed physically by Aruba on your local CPPM. You sever calls home every night to see if there are any updates and that was removed from the list so your server removed it from the download options in your gui.

Hi Troy,

 

The file was physically deleted from our CPPM servers. We received confirmation from Aruba late Friday that the download agent deleted the 6.3 upgrade on any server that had already downloaded the file.

 

We had already downloaded the upgrade. The file was on our local CPPM server. Whether done by a software agent that calls home or manually it was still deleted by an Aruba controlled mechanism.

 

Thanks,

Fred

We are looking at upgrading. I understand that I will need to add a 500GB hard drive that will be partitioned. At which point I should be able to remove my current Hard Drive running 6.2. 

 

My question is this. I am looking for a backout plan if something goes wrong. If things go south is it best to just power down, remove the added drive and everything should be as before from the 6.2 drive when I boot back up? Or is it better to revert to a snapshot that I could create before starting the upgrade process?

 

 

For your use case you have two options as I see it.

 

1. As you mentioned, take a snapshot and use this to roll back

 

2. Just simply use the ability to have CPPM boot from different boot partitions. After you have added the new disk you will have the ability to set which boot partition CPPM uses. If you have a requirment to roll-back, then uder the appadmin userid running this following commands......

 

system boot-image -l   (Will show you the boot partitions CPPM is aware, plus it shows you the active partitions)....

E.g.   ClearPass Platform 6.3.1.62009 [Active] on SCSI (0:1)

 

system boot-image -a  (will allow you to set the boot partition CPPM will use next......)

 

 

 

Hope this helps.

 

 

 

Awesome! Thanks, that makes me feel much more confident. I know that if I don't plan a backout, something bad will inevitably happen. 

 

Just upgraded to 6.3 and I'm having no luck.  Waited about 30 min and couldn't get to the web interface so I logged into the CLI.  Most of the services weren't running so I manually started them.  Then, I tried logging into the GUI, but none of my passwords worked.  I tried the admin account, both the password I set and the default eTIPS123 password.  Neither worked.  My guess is that the backup was not restored after the upgrade.  I tried manually restoring the backup, but CPPM can't find the restore file.  Not sure if I'm using the wrong name or extension...  Guess I'll boot back to the 6.2. 

Depending on the database size it could take awhile to upgrade. (I?ve had a few take over an hour) I would suggest that you open a TAC case and have them take a look if it happens again.

Thanks Troy.  Patience is key.  It took about 2 hours for most of my nodes.

glad to hear it. We are optimizing the latest releases to speed up the process

Hi,

 

i cannot see the attached document, could you please re-upload it? i need the hardware capacity changes requirement for VM installation.

 

R.L.

All release notes are on the support site.

 

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/6875/Default.aspx