Requirement : move production clearpass from non Fips to fips
My knowledge is not much on this only thing I know it will wipe off all config and anything present on clearpass so my questions are:
1) how do I start planning
2) what all information would I need to gather
3) how can config be moved from non Fips to fips
4) certificates, identity sources, ?? What else I need to map out
Basically I have no information how to start working and get this done
So how should i start planning this. What all tings that i should look for? When we say import existing service does that mean can import or needs to be reconfigured?
how about policies etc.
its hardware 500 and not in HA so need to change and rebuilt, any suggestion what all planning to do what i know:
1) Auth - Wired// EAP-TLS internal CA
2) minimal users
3) no external sources other than AD
The database is reset when you enable the FIPS mode in CPPM. Configuration backup file from non-FIPS mode cannot be restored in FIPS mode. You may want to try to export services, authentication methods and sources, posture and enforcement policies and network devices under configuration and import back once FIPS is enabled.The legacy authentication method such as EAP-MD5 and MD5 digest algorithm are not supported in FIPS mode. You cannot import the certificates that are created with the MD5 authentication type to the Certificates Trust List. The server reboots when you enable FIPS mode. You need to log in again to the Admin UI.I'd recommend to work with Aruba TAC.
Please double-check that you absolutely require, and also can ClearPass to run in FIPS mode.
As Anish mentioned MD5 and EAP-MD5 are disabled in FIPS mode, and some wired IP phones and other older devices are known to do EAP-MD5 only. Also, I have seen that the default for MAC authentication in Juniper switches is to use MD5. It seems that you can use PAP and EAP-PEAP in recent versions, but please be aware of that before switching on FIPS.
Just to update thank you for information, I was able to change mode and restore config.
For detailed information I will post the document that i prepared. One must do LAB before doing in production.
It was a success!!
We're having to go through the same exercise where I work. If you're up for posting the document you were mentioning aakagarw, I'd love to have a better idea what we're in for.
Sorry had been busy i will post today.
I have uploaded Videos:
Pre-Plan - https://www.youtube.com/watch?v=wa-CRhTZkh4
FIPS Mode Change - https://www.youtube.com/watch?v=o8G-Du6K0_c
Notes are in video.
FIPS Mode Prep:
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.