Security

last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass 6.11.5 -> 6.12

This thread has been viewed 60 times
  • 1.  Clearpass 6.11.5 -> 6.12

    Posted Dec 29, 2023 08:42 AM

    Considering moving to 6.12.. I have two VM server in a cluster, Entry licenses, we use CPPM Guest for admins only, not for guests, a mix of EAP and TLS authentications, and moving to Entra ID / InTune for all users.

    From the release notes I especially like the negate filtering feature in Access Tracker, a long awaited feature. Maybe not enough for an upgrade, but I like to be up to speed on new releases anyways.

    I have read the Known Issues on 6.12, there's nothing there to prevent me from upgrading.

    So the question, is 6.12 stable enough to go ahead and upgrade or should I wait it out?



  • 2.  RE: Clearpass 6.11.5 -> 6.12

    EMPLOYEE
    Posted Dec 31, 2023 01:41 AM

    it is for sure stable enough to be release, But like always it is the first major release, like always there will be a few issues that will be discovered and resolved in the first maintenance release (patch). 

    IO can not think anything more that checking the known issues which you already have.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Clearpass 6.11.5 -> 6.12

    MVP EXPERT
    Posted Jan 01, 2024 06:31 AM
    As a best practice, I would not quickly use a first unpatched release in a production environment. In production I always go for the latest Long Support Releases (LSR) and that is 6.11.6 at the moment.
     
    I have not yet installed, tested or gained experience with 6.12 myself. If you really need the new features in 6.12 then it is worth considering, but my advice is to test it first in a test environment.
    ------------------------------
    Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------

    Considering moving to 6.12.. I have two VM server in a cluster, Entry licenses, we use CPPM Guest for admins only, not for guests, a mix of EAP and TLS authentications, and moving to Entra ID / InTune for all users.

    From the release notes I especially like the negate filtering feature in Access Tracker, a long awaited feature. Maybe not enough for an upgrade, but I like to be up to speed on new releases anyways.

    I have read the Known Issues on 6.12, there's nothing there to prevent me from upgrading.

    So the question, is 6.12 stable enough to go ahead and upgrade or should I wait it out?



  • 4.  RE: Clearpass 6.11.5 -> 6.12

    MVP
    Posted Jan 02, 2024 08:24 AM

    I agree.

    What is your understanding of support for SSR? I understand SSR is EOL/EOS when the next version is released.

    Does that mean the only supported upgrade path is a new installation? Officially supporting an upgrade from an unsupported release makes little sense IMO.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 5.  RE: Clearpass 6.11.5 -> 6.12

    EMPLOYEE
    Posted Jan 02, 2024 09:42 AM

    You can upgrade from a SSR to the next SSR or the next LSR (whichever comes first).

    It's not that as soon a new LSR or SSR is released that suddenly all previous releases are unsupported from one moment to the other. An end-of-support announcement will be done on ASP, and then there should be at least 6 months for you to upgrade to the newer release. Also, as long as the release notes for the new (supported) release mention that you can update from a specific version, it's less relevant that the source version is unsupported or not. Unsupported does not mean that it does not work, it's just that you should (probably) upgrade, and if you contact TAC that they may ask you to upgrade to a supported version if the issue may be related to the older software version you are running.

    This may not be fully clear to everyone as there currently is only one LSR release for ClearPass (6.11), and one SSR release (6.12), so the situation has not happened yet.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Clearpass 6.11.5 -> 6.12

    MVP
    Posted Jan 02, 2024 10:10 AM

    Herman,

     

    The following quote is from the CPPM 6.11 Release notes.

     

    In a Short Support Release, Aruba introduces new features and new hardware, but does NOT "park" any hardware. SSR releases are supported from release until the date of the next SSR or LSR release.

     

    So, when 6.13 is released, 6.12 SSR is no longer officially supported, according to Aruba's own documentation, hence my confusion.

     

    Bruce

     

     






  • 7.  RE: Clearpass 6.11.5 -> 6.12

    EMPLOYEE
    Posted Jan 02, 2024 10:55 AM

    I see the confusion, but still end of support will need to be posted on ASP and then there is at least a 6 months overlap to upgrade. What you quote does not make sense to take litteraly and depend on the definition of 'support'. The probably will not be any further updates to SSR releases if a new SSR or LSR is released.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Clearpass 6.11.5 -> 6.12

    MVP
    Posted Jan 02, 2024 10:59 AM

    Herman,

     

    It would not be the first time Aruba support policies did not make sense.

     

    At one point, if we stayed on CPPM 6.9.x we would have longer support than if we moved to 6.10.x. They later changed that.

     

    Bruce

     






  • 9.  RE: Clearpass 6.11.5 -> 6.12

    EMPLOYEE
    Posted Jan 11, 2024 05:03 PM

    Let me try to help this make more sense for everyone. 

    The old model was that we released a major version and supported it for 1 year of active development and then 1 additional year of security (high and critical CVSS score) fixes.  On paper it looked fine, but a lot of times we ended up having more than 1 year of active development (look at the 6.7 life) which then led to having multiple active releases at the same time.  At the same time, many customers were providing us the feedback that they didn't want new features, they wanted a release that only got the bug & security fixes but otherwise they were under the "if it isn't broke, don't fix it" mind.  We listened to this and the LSR/SSR model was the choice to work with.

    In the new LSR/SSR model we have a release that is long support - in ClearPass that means as long as we can maintain the release for security and stability (usually limited by either the cryptographic or kernel support available).  This is the release for people who don't want/need new NAC functionality and features and just want to have things work for long times.  The LSR releases will be supported fully until the next LSR version is released (yes, we are planning some overlap window so you are not jumping to a .0 in LSR if you are comfortable).  Generally speaking, the LSR version will also undergo events like CC validation and other certifications.

    We then have the ability to do short support that is then only supported until the next SSR or LSR releases.  These releases allow us to still focus on stability in the product, but to allow for us to add features or to rework internal parts of the system that we may not be able to do otherwise.  An example of this happened in 6.12 when we changed some of our memory management.  it isn't going to be back-ported to 6.11 ever, but it is something we will carry forward into the future.  This also allows us to space some of the work out to do things that need to be done sequentially so we can release part of the updates or capability without the extra risk historically present.  

    Everyone is then also looking at the historic upgrade process and saying "you only support upgrade to N from N-1 and N-2.latest" and thinking that this is going to make future upgrades horrible and long.  It's actually not.  When you move to SSR you do have to keep doing upgrades to N from N-1.  That isn't changed.  However, when you are using LSR you will jump over all the SSR releases to the next LSR.  Let's pretend that 6.11 is LSR and that we replace it with 6.20.  You don't have to upgrade from all 9 (or even 4) of the intermediate SSR releases as they would already be end of support.  You would upgrade from 6.11 to 6.20 directly as the LSR to LSR jump.

    I hope that this helps explain things a little more.




  • 10.  RE: Clearpass 6.11.5 -> 6.12

    MVP
    Posted Jan 19, 2024 10:10 AM

    CAUTION: The following are TOTALLY my personal opinion.

    1. Why choose an untested, major release as LSR? when CPPM 6.0.0 was introduced, we waited until 6.2.1 for it to be stable. In AOS, a version has been released & patched for a while before it is considered as a Conservative Release, their term for LSR.
    2. I have trouble wrapping my head about SSR, taking the policy literally.  What it communicates to me is that when 6.13.0 is released, for example, there is no more support for EOL 6.12.x. To me that would mean there is no supported upgrade path and a version reinstall, restoring your configuration would be required 

    I know there is a flaw in my logic somewhere, but I cannot seem to find it. Where am I wrong?



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------