Security

Hi

I'm working with a customer running a 5 node ClearPass cluster with old CP-HW-25k hardware, now C3000, based on Dell R620, R630 and DL360 Gen9 hardware. As all these hardware models do not support 6.10 and reach end of support in April next year new hardware will be installed.

For the replacement process I have planned to bring in the new servers as subscribers in the cluster, move the VIP addresses and Publisher role and then drop the old servers. After the drop upgrade to 6.10.x

But the current servers have had several issues where I have involved TAC. In 2019 a major cluster crash, server crash during upgrade to 6.8, and now after upgrade to 6.9 I have two nodes not loggning TACACS+ in the Access Tracker. Still working with TAC on that issue. So I have started to rethink the replacement process. Could it be a risk of transfer faulty or corrupt databases if I join the new nodes to the cluster and by this inherit any issues that may hiding in the databases?
Would it be a better option, with a bit more work, to migrate all configuration with XLM files from the old cluster to a new cluster built side by side?
The configuration is not to complex to migrate with XML export/import.
This way I can also start with 6.10.x from the start.
Finally to switch the production to the new cluster I manually move the VIP addresses from one cluster to the other.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSA, ACEP
Aranya AB
------------------------------

I think you basically have 4 options:
- Join server to the cluster, drop old ones, upgrade
- Backup config on existing cluster, restore on the new hardware (could be running 6.10)
- Start from scratch and use XML to convert parts of the config.
- Start from scratch on the new hardware, and rebuild your policy

If you don't trust the existing databases, the last option (build all from scratch) is the most safe. Also, this allows you to bring in your latest insights, standards and best practices, and you touch every part of the configuration and are forced to think about it. Then, if you have the hardware, I would build a new cluster in parallel, as you can easily swap back and forth in the case there are issues, and you can (if you leave it accessible) look back in the old servers and configuration.

My experience with backup/restore are pretty ok; but if you don't trust the existing deployment, XML may be a good alternative.

In my experience, TAC is willing to support in reviewing your upgrade scenario.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 17, 2021 04:50 AM
From: Jonas Hammarback
Subject: Life cycle ClearPass hardware

Hi

I'm working with a customer running a 5 node ClearPass cluster with old CP-HW-25k hardware, now C3000, based on Dell R620, R630 and DL360 Gen9 hardware. As all these hardware models do not support 6.10 and reach end of support in April next year new hardware will be installed.

For the replacement process I have planned to bring in the new servers as subscribers in the cluster, move the VIP addresses and Publisher role and then drop the old servers. After the drop upgrade to 6.10.x

But the current servers have had several issues where I have involved TAC. In 2019 a major cluster crash, server crash during upgrade to 6.8, and now after upgrade to 6.9 I have two nodes not loggning TACACS+ in the Access Tracker. Still working with TAC on that issue. So I have started to rethink the replacement process. Could it be a risk of transfer faulty or corrupt databases if I join the new nodes to the cluster and by this inherit any issues that may hiding in the databases?
Would it be a better option, with a bit more work, to migrate all configuration with XLM files from the old cluster to a new cluster built side by side?
The configuration is not to complex to migrate with XML export/import.
This way I can also start with 6.10.x from the start.
Finally to switch the production to the new cluster I manually move the VIP addresses from one cluster to the other.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSA, ACEP
Aranya AB
------------------------------

Thank you for the answer.
I will evaluate the pros and cons for each method.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSA, ACEP
Aranya AB
------------------------------

Original Message:
Sent: Dec 17, 2021 11:12 AM
From: Herman Robers
Subject: Life cycle ClearPass hardware

I think you basically have 4 options:
- Join server to the cluster, drop old ones, upgrade
- Backup config on existing cluster, restore on the new hardware (could be running 6.10)
- Start from scratch and use XML to convert parts of the config.
- Start from scratch on the new hardware, and rebuild your policy

If you don't trust the existing databases, the last option (build all from scratch) is the most safe. Also, this allows you to bring in your latest insights, standards and best practices, and you touch every part of the configuration and are forced to think about it. Then, if you have the hardware, I would build a new cluster in parallel, as you can easily swap back and forth in the case there are issues, and you can (if you leave it accessible) look back in the old servers and configuration.

My experience with backup/restore are pretty ok; but if you don't trust the existing deployment, XML may be a good alternative.

In my experience, TAC is willing to support in reviewing your upgrade scenario.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 17, 2021 04:50 AM
From: Jonas Hammarback
Subject: Life cycle ClearPass hardware

Hi

I'm working with a customer running a 5 node ClearPass cluster with old CP-HW-25k hardware, now C3000, based on Dell R620, R630 and DL360 Gen9 hardware. As all these hardware models do not support 6.10 and reach end of support in April next year new hardware will be installed.

For the replacement process I have planned to bring in the new servers as subscribers in the cluster, move the VIP addresses and Publisher role and then drop the old servers. After the drop upgrade to 6.10.x

But the current servers have had several issues where I have involved TAC. In 2019 a major cluster crash, server crash during upgrade to 6.8, and now after upgrade to 6.9 I have two nodes not loggning TACACS+ in the Access Tracker. Still working with TAC on that issue. So I have started to rethink the replacement process. Could it be a risk of transfer faulty or corrupt databases if I join the new nodes to the cluster and by this inherit any issues that may hiding in the databases?
Would it be a better option, with a bit more work, to migrate all configuration with XLM files from the old cluster to a new cluster built side by side?
The configuration is not to complex to migrate with XML export/import.
This way I can also start with 6.10.x from the start.
Finally to switch the production to the new cluster I manually move the VIP addresses from one cluster to the other.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSA, ACEP
Aranya AB
------------------------------