last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Issues after 6.0.2 upgrade

Jump to Best Answer
  • 1.  Issues after 6.0.2 upgrade

    Posted Mar 08, 2013 01:26 AM

    After upgrading my 6.0.1 publisher and subscribers, the subsribers became out of sync and the issue would not resolve itself. I had to drop all subscribers then re-add them.  Has anyone else had this issue? 


    I started by upgrading the publisher.  Then I upgraded each subscriber and started to notice the sync issue.  Is this the correct procedure for upgrading a cluster?


    Also, the TACACS service that I setup for CPPM login stopped working after the upgrade.  I can no longer login with my AD credentials; I have to use the local admin account.  AD authentication is working for other services such as .1X; the issue seems to be specifically with TACACS.  Access Tracker has logged the following error: Internal error in performing authentication, when trying to login with AD credentials.  The logon attempt details don't even show that an authentication source is being used.  I've tried creating a new TACACS service for CPPM login, but I get the same error.

  • 2.  RE: Issues after 6.0.2 upgrade

    Posted Mar 08, 2013 04:05 AM

    Please reach Tech support.  There could either be a bug, or an error in how you are upgrading...


  • 3.  RE: Issues after 6.0.2 upgrade

    Posted Mar 13, 2013 07:47 PM

    I opened up a case in tandem with this topic. TAC has figured out that the issue is with the publisher, but the ticket has been escalated.  I have a conference call with the escalation team and will report back what a solution in case it may be useful to someone in the future.

  • 4.  RE: Issues after 6.0.2 upgrade

    Posted Apr 09, 2013 09:15 AM

    Had the same issue here getting my cluster complete. Changing the cluster password to something without special characters after the upgrade to 6.0.2 did the trick for me.




  • 5.  RE: Issues after 6.0.2 upgrade
    Best Answer

    Posted Apr 21, 2013 11:24 PM

    Cluster Sync Fix


    Here is the reply from the engineering team:


    The Root cause for cluster setup failure was some duplicate data in the publisher data post upgrade/migration. There was an enforcement policy "Guest Operator Logins" which conflicted with a policy of the same name that was introduced as default data in 6.0.2.


    1) Create a new enforcement policy "AD Guest Operator Logins" with default enforcement profile "[Deny Application Access Profile]". Add the following rule to it "(Authorization:AD Servers:memberOf CONTAINS ClearPass-Admin)" and return the profile "Guest Operator - Super Administrator" to this rule.

    2) Edit the "ClearPass Guest Login" service and attach the enforcement policy created above. Save the service.

    Adding the subscriber should work after this.


    TACACS Fix


    TACACS is now working.  The fix involved deleting an invalid certificate from the Certificate Trust List and restarting all of the CP services:


    1. Administration > Certificates > Trust List
    2. Set Filter: Enabled equals Enabled
    3. Delete certificate(s) that are showing invalid.
    4. Login to the CP server via CLI.
    5. Login as app admin.
    6. Type: service restart all

    Although this fixed TACACS, our cluster is still not syncing.   I will report back with the fix for that.