Security

Considering moving to 6.12.. I have two VM server in a cluster, Entry licenses, we use CPPM Guest for admins only, not for guests, a mix of EAP and TLS authentications, and moving to Entra ID / InTune for all users.

From the release notes I especially like the negate filtering feature in Access Tracker, a long awaited feature. Maybe not enough for an upgrade, but I like to be up to speed on new releases anyways.

I have read the Known Issues on 6.12, there's nothing there to prevent me from upgrading.

So the question, is 6.12 stable enough to go ahead and upgrade or should I wait it out?

Considering moving to 6.12.. I have two VM server in a cluster, Entry licenses, we use CPPM Guest for admins only, not for guests, a mix of EAP and TLS authentications, and moving to Entra ID / InTune for all users.

From the release notes I especially like the negate filtering feature in Access Tracker, a long awaited feature. Maybe not enough for an upgrade, but I like to be up to speed on new releases anyways.

I have read the Known Issues on 6.12, there's nothing there to prevent me from upgrading.

So the question, is 6.12 stable enough to go ahead and upgrade or should I wait it out?

I agree.

What is your understanding of support for SSR? I understand SSR is EOL/EOS when the next version is released.

Does that mean the only supported upgrade path is a new installation? Officially supporting an upgrade from an unsupported release makes little sense IMO.

Considering moving to 6.12.. I have two VM server in a cluster, Entry licenses, we use CPPM Guest for admins only, not for guests, a mix of EAP and TLS authentications, and moving to Entra ID / InTune for all users.

From the release notes I especially like the negate filtering feature in Access Tracker, a long awaited feature. Maybe not enough for an upgrade, but I like to be up to speed on new releases anyways.

I have read the Known Issues on 6.12, there's nothing there to prevent me from upgrading.

So the question, is 6.12 stable enough to go ahead and upgrade or should I wait it out?

You can upgrade from a SSR to the next SSR or the next LSR (whichever comes first).

It's not that as soon a new LSR or SSR is released that suddenly all previous releases are unsupported from one moment to the other. An end-of-support announcement will be done on ASP, and then there should be at least 6 months for you to upgrade to the newer release. Also, as long as the release notes for the new (supported) release mention that you can update from a specific version, it's less relevant that the source version is unsupported or not. Unsupported does not mean that it does not work, it's just that you should (probably) upgrade, and if you contact TAC that they may ask you to upgrade to a supported version if the issue may be related to the older software version you are running.

This may not be fully clear to everyone as there currently is only one LSR release for ClearPass (6.11), and one SSR release (6.12), so the situation has not happened yet.

I agree.

What is your understanding of support for SSR? I understand SSR is EOL/EOS when the next version is released.

Does that mean the only supported upgrade path is a new installation? Officially supporting an upgrade from an unsupported release makes little sense IMO.

Considering moving to 6.12.. I have two VM server in a cluster, Entry licenses, we use CPPM Guest for admins only, not for guests, a mix of EAP and TLS authentications, and moving to Entra ID / InTune for all users.

From the release notes I especially like the negate filtering feature in Access Tracker, a long awaited feature. Maybe not enough for an upgrade, but I like to be up to speed on new releases anyways.

I have read the Known Issues on 6.12, there's nothing there to prevent me from upgrading.

So the question, is 6.12 stable enough to go ahead and upgrade or should I wait it out?

You can upgrade from a SSR to the next SSR or the next LSR (whichever comes first).

It's not that as soon a new LSR or SSR is released that suddenly all previous releases are unsupported from one moment to the other. An end-of-support announcement will be done on ASP, and then there should be at least 6 months for you to upgrade to the newer release. Also, as long as the release notes for the new (supported) release mention that you can update from a specific version, it's less relevant that the source version is unsupported or not. Unsupported does not mean that it does not work, it's just that you should (probably) upgrade, and if you contact TAC that they may ask you to upgrade to a supported version if the issue may be related to the older software version you are running.

This may not be fully clear to everyone as there currently is only one LSR release for ClearPass (6.11), and one SSR release (6.12), so the situation has not happened yet.

I agree.

What is your understanding of support for SSR? I understand SSR is EOL/EOS when the next version is released.

Does that mean the only supported upgrade path is a new installation? Officially supporting an upgrade from an unsupported release makes little sense IMO.

Considering moving to 6.12.. I have two VM server in a cluster, Entry licenses, we use CPPM Guest for admins only, not for guests, a mix of EAP and TLS authentications, and moving to Entra ID / InTune for all users.

From the release notes I especially like the negate filtering feature in Access Tracker, a long awaited feature. Maybe not enough for an upgrade, but I like to be up to speed on new releases anyways.

I have read the Known Issues on 6.12, there's nothing there to prevent me from upgrading.

So the question, is 6.12 stable enough to go ahead and upgrade or should I wait it out?

I see the confusion, but still end of support will need to be posted on ASP and then there is at least a 6 months overlap to upgrade. What you quote does not make sense to take litteraly and depend on the definition of 'support'. The probably will not be any further updates to SSR releases if a new SSR or LSR is released.

You can upgrade from a SSR to the next SSR or the next LSR (whichever comes first).

It's not that as soon a new LSR or SSR is released that suddenly all previous releases are unsupported from one moment to the other. An end-of-support announcement will be done on ASP, and then there should be at least 6 months for you to upgrade to the newer release. Also, as long as the release notes for the new (supported) release mention that you can update from a specific version, it's less relevant that the source version is unsupported or not. Unsupported does not mean that it does not work, it's just that you should (probably) upgrade, and if you contact TAC that they may ask you to upgrade to a supported version if the issue may be related to the older software version you are running.

This may not be fully clear to everyone as there currently is only one LSR release for ClearPass (6.11), and one SSR release (6.12), so the situation has not happened yet.

I agree.

What is your understanding of support for SSR? I understand SSR is EOL/EOS when the next version is released.

Does that mean the only supported upgrade path is a new installation? Officially supporting an upgrade from an unsupported release makes little sense IMO.

Considering moving to 6.12.. I have two VM server in a cluster, Entry licenses, we use CPPM Guest for admins only, not for guests, a mix of EAP and TLS authentications, and moving to Entra ID / InTune for all users.

From the release notes I especially like the negate filtering feature in Access Tracker, a long awaited feature. Maybe not enough for an upgrade, but I like to be up to speed on new releases anyways.

I have read the Known Issues on 6.12, there's nothing there to prevent me from upgrading.

So the question, is 6.12 stable enough to go ahead and upgrade or should I wait it out?

I see the confusion, but still end of support will need to be posted on ASP and then there is at least a 6 months overlap to upgrade. What you quote does not make sense to take litteraly and depend on the definition of 'support'. The probably will not be any further updates to SSR releases if a new SSR or LSR is released.

You can upgrade from a SSR to the next SSR or the next LSR (whichever comes first).

It's not that as soon a new LSR or SSR is released that suddenly all previous releases are unsupported from one moment to the other. An end-of-support announcement will be done on ASP, and then there should be at least 6 months for you to upgrade to the newer release. Also, as long as the release notes for the new (supported) release mention that you can update from a specific version, it's less relevant that the source version is unsupported or not. Unsupported does not mean that it does not work, it's just that you should (probably) upgrade, and if you contact TAC that they may ask you to upgrade to a supported version if the issue may be related to the older software version you are running.

This may not be fully clear to everyone as there currently is only one LSR release for ClearPass (6.11), and one SSR release (6.12), so the situation has not happened yet.

I agree.

What is your understanding of support for SSR? I understand SSR is EOL/EOS when the next version is released.

Does that mean the only supported upgrade path is a new installation? Officially supporting an upgrade from an unsupported release makes little sense IMO.

Considering moving to 6.12.. I have two VM server in a cluster, Entry licenses, we use CPPM Guest for admins only, not for guests, a mix of EAP and TLS authentications, and moving to Entra ID / InTune for all users.

From the release notes I especially like the negate filtering feature in Access Tracker, a long awaited feature. Maybe not enough for an upgrade, but I like to be up to speed on new releases anyways.

I have read the Known Issues on 6.12, there's nothing there to prevent me from upgrading.

So the question, is 6.12 stable enough to go ahead and upgrade or should I wait it out?

Let me try to help this make more sense for everyone. 

The old model was that we released a major version and supported it for 1 year of active development and then 1 additional year of security (high and critical CVSS score) fixes.  On paper it looked fine, but a lot of times we ended up having more than 1 year of active development (look at the 6.7 life) which then led to having multiple active releases at the same time.  At the same time, many customers were providing us the feedback that they didn't want new features, they wanted a release that only got the bug & security fixes but otherwise they were under the "if it isn't broke, don't fix it" mind.  We listened to this and the LSR/SSR model was the choice to work with.

In the new LSR/SSR model we have a release that is long support - in ClearPass that means as long as we can maintain the release for security and stability (usually limited by either the cryptographic or kernel support available).  This is the release for people who don't want/need new NAC functionality and features and just want to have things work for long times.  The LSR releases will be supported fully until the next LSR version is released (yes, we are planning some overlap window so you are not jumping to a .0 in LSR if you are comfortable).  Generally speaking, the LSR version will also undergo events like CC validation and other certifications.

We then have the ability to do short support that is then only supported until the next SSR or LSR releases.  These releases allow us to still focus on stability in the product, but to allow for us to add features or to rework internal parts of the system that we may not be able to do otherwise.  An example of this happened in 6.12 when we changed some of our memory management.  it isn't going to be back-ported to 6.11 ever, but it is something we will carry forward into the future.  This also allows us to space some of the work out to do things that need to be done sequentially so we can release part of the updates or capability without the extra risk historically present.  

Everyone is then also looking at the historic upgrade process and saying "you only support upgrade to N from N-1 and N-2.latest" and thinking that this is going to make future upgrades horrible and long.  It's actually not.  When you move to SSR you do have to keep doing upgrades to N from N-1.  That isn't changed.  However, when you are using LSR you will jump over all the SSR releases to the next LSR.  Let's pretend that 6.11 is LSR and that we replace it with 6.20.  You don't have to upgrade from all 9 (or even 4) of the intermediate SSR releases as they would already be end of support.  You would upgrade from 6.11 to 6.20 directly as the LSR to LSR jump.

I hope that this helps explain things a little more.

Original Message:
Sent: Jan 02, 2024 10:58 AM
From: bosborne
Subject: Clearpass 6.11.5 -> 6.12

Original Message:
Sent: 1/2/2024 10:55:00 AM
From: Herman Robers
Subject: RE: Clearpass 6.11.5 -> 6.12

I see the confusion, but still end of support will need to be posted on ASP and then there is at least a 6 months overlap to upgrade. What you quote does not make sense to take litteraly and depend on the definition of 'support'. The probably will not be any further updates to SSR releases if a new SSR or LSR is released.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 02, 2024 10:10 AM
From: bosborne
Subject: Clearpass 6.11.5 -> 6.12

Original Message:
Sent: 1/2/2024 9:42:00 AM
From: Herman Robers
Subject: RE: Clearpass 6.11.5 -> 6.12

You can upgrade from a SSR to the next SSR or the next LSR (whichever comes first).

It's not that as soon a new LSR or SSR is released that suddenly all previous releases are unsupported from one moment to the other. An end-of-support announcement will be done on ASP, and then there should be at least 6 months for you to upgrade to the newer release. Also, as long as the release notes for the new (supported) release mention that you can update from a specific version, it's less relevant that the source version is unsupported or not. Unsupported does not mean that it does not work, it's just that you should (probably) upgrade, and if you contact TAC that they may ask you to upgrade to a supported version if the issue may be related to the older software version you are running.

This may not be fully clear to everyone as there currently is only one LSR release for ClearPass (6.11), and one SSR release (6.12), so the situation has not happened yet.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 02, 2024 08:24 AM
From: bosborne
Subject: Clearpass 6.11.5 -> 6.12

I agree.

What is your understanding of support for SSR? I understand SSR is EOL/EOS when the next version is released.

Does that mean the only supported upgrade path is a new installation? Officially supporting an upgrade from an unsupported release makes little sense IMO.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Jan 01, 2024 06:30 AM
From: mkk
Subject: Clearpass 6.11.5 -> 6.12

Considering moving to 6.12.. I have two VM server in a cluster, Entry licenses, we use CPPM Guest for admins only, not for guests, a mix of EAP and TLS authentications, and moving to Entra ID / InTune for all users.

From the release notes I especially like the negate filtering feature in Access Tracker, a long awaited feature. Maybe not enough for an upgrade, but I like to be up to speed on new releases anyways.

I have read the Known Issues on 6.12, there's nothing there to prevent me from upgrading.

So the question, is 6.12 stable enough to go ahead and upgrade or should I wait it out?