Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Aruba ClearPass Policy Manager firmware upgrade from version 6.9.12 to 6.11.x.

This thread has been viewed 14 times
  • 1.  Aruba ClearPass Policy Manager firmware upgrade from version 6.9.12 to 6.11.x.

    Posted Aug 05, 2024 02:30 PM

    Hello All, 

    I'm seeking your recommendations regarding the Aruba ClearPass Policy Manager firmware upgrade from version 6.9.12 to 6.11.x.

    Our current environment consists of a single Publisher in AWS and a single Subscriber in a datacenter.

    I require guidance on the optimal upgrade approach for the following scenarios:

    • Scenario 1: Assigning new IP addresses to both Publisher and Subscriber.
    • Scenario 2: Assigning a new IP address to the Subscriber while maintaining the existing Publisher IP

    Steps for Scenario 1:

    1. Build two new ClearPass instances (Publisher and Subscriber) with different IP addresses and firmware version 6.11.x or 6.12.x. Activate evaluation licenses, join the domain, form a cluster (Publisher + Subscriber), and test the AAA services on test end-user devices to ensure everything is functioning correctly.
    2. On the day of migration, restore backups of the existing ClearPass instances, including certificates and configurations. Then, turn off the existing Publisher and Subscriber.

    Steps for Scenario 2:

    • I'm unsure how to proceed with this scenario due to potential IP conflicts between devices.

    I would greatly appreciate detailed steps for both scenarios and any available migration documentation from the experts in the community.

    Thanks in Advance



  • 2.  RE: Aruba ClearPass Policy Manager firmware upgrade from version 6.9.12 to 6.11.x.

    Posted Aug 06, 2024 11:03 AM

    Unsure what would be the benefit of scenario 2, besides the point that in AWS the IP addressing is controlled by AWS, so it may not be possible to control this from ClearPass.

    If you can (easily) change IP addresses in external applications, switches, or through DNS, it may be most controlled to build a fully separate environment, then switch over your equipment. In that case, you have a quick failback scenario.

    I would work on such a migration scenario together with your Aruba partner, or with TAC to get it validated before you go. 



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Aruba ClearPass Policy Manager firmware upgrade from version 6.9.12 to 6.11.x.

    Posted Aug 06, 2024 10:05 PM

    @Herman Robers, Thanks for your reply. 

    Surely, I'll touch base with TAC team in regards to Scenario 2. 

     In the meantime, could you please provide detailed guidance on Scenario 1? Specifically, I'm interested to know about migration steps, necessary precautions, and potential fallback plans. Any relevant documentation would be greatly appreciated.

    Thanks in Advance. 




  • 4.  RE: Aruba ClearPass Policy Manager firmware upgrade from version 6.9.12 to 6.11.x.

    Posted Aug 07, 2024 03:48 AM

    Oh, in a nutshell, install the new VMs 'in parallel' to your existing environment (on new IPs); upgrade appliances to latest version, then backup existing configuration (and certs/domain memberships, etc separate), restore on your new publisher, join the subscribers. Test, and change your equipments/applications to the new IPs; switch off the old appliances.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------