Security Training

Hello All, 

I'm seeking your recommendations regarding the Aruba ClearPass Policy Manager firmware upgrade from version 6.9.12 to 6.11.x.

Our current environment consists of a single Publisher in AWS and a single Subscriber in a datacenter.

I require guidance on the optimal upgrade approach for the following scenarios:

• Scenario 1: Assigning new IP addresses to both Publisher and Subscriber.
• Scenario 2: Assigning a new IP address to the Subscriber while maintaining the existing Publisher IP

Steps for Scenario 1:

1. Build two new ClearPass instances (Publisher and Subscriber) with different IP addresses and firmware version 6.11.x or 6.12.x. Activate evaluation licenses, join the domain, form a cluster (Publisher + Subscriber), and test the AAA services on test end-user devices to ensure everything is functioning correctly.
2. On the day of migration, restore backups of the existing ClearPass instances, including certificates and configurations. Then, turn off the existing Publisher and Subscriber.

Steps for Scenario 2:

• I'm unsure how to proceed with this scenario due to potential IP conflicts between devices.

I would greatly appreciate detailed steps for both scenarios and any available migration documentation from the experts in the community.

Thanks in Advance

Unsure what would be the benefit of scenario 2, besides the point that in AWS the IP addressing is controlled by AWS, so it may not be possible to control this from ClearPass.

If you can (easily) change IP addresses in external applications, switches, or through DNS, it may be most controlled to build a fully separate environment, then switch over your equipment. In that case, you have a quick failback scenario.

I would work on such a migration scenario together with your Aruba partner, or with TAC to get it validated before you go. 

Hello All, 

I'm seeking your recommendations regarding the Aruba ClearPass Policy Manager firmware upgrade from version 6.9.12 to 6.11.x.

Our current environment consists of a single Publisher in AWS and a single Subscriber in a datacenter.

I require guidance on the optimal upgrade approach for the following scenarios:

• Scenario 1: Assigning new IP addresses to both Publisher and Subscriber.
• Scenario 2: Assigning a new IP address to the Subscriber while maintaining the existing Publisher IP

Steps for Scenario 1:

1. Build two new ClearPass instances (Publisher and Subscriber) with different IP addresses and firmware version 6.11.x or 6.12.x. Activate evaluation licenses, join the domain, form a cluster (Publisher + Subscriber), and test the AAA services on test end-user devices to ensure everything is functioning correctly.
2. On the day of migration, restore backups of the existing ClearPass instances, including certificates and configurations. Then, turn off the existing Publisher and Subscriber.

Steps for Scenario 2:

• I'm unsure how to proceed with this scenario due to potential IP conflicts between devices.

I would greatly appreciate detailed steps for both scenarios and any available migration documentation from the experts in the community.

Thanks in Advance

@Herman Robers, Thanks for your reply. 

Surely, I'll touch base with TAC team in regards to Scenario 2. 

 In the meantime, could you please provide detailed guidance on Scenario 1? Specifically, I'm interested to know about migration steps, necessary precautions, and potential fallback plans. Any relevant documentation would be greatly appreciated.

Thanks in Advance. 

Unsure what would be the benefit of scenario 2, besides the point that in AWS the IP addressing is controlled by AWS, so it may not be possible to control this from ClearPass.

If you can (easily) change IP addresses in external applications, switches, or through DNS, it may be most controlled to build a fully separate environment, then switch over your equipment. In that case, you have a quick failback scenario.

I would work on such a migration scenario together with your Aruba partner, or with TAC to get it validated before you go. 

Hello All, 

I'm seeking your recommendations regarding the Aruba ClearPass Policy Manager firmware upgrade from version 6.9.12 to 6.11.x.

Our current environment consists of a single Publisher in AWS and a single Subscriber in a datacenter.

I require guidance on the optimal upgrade approach for the following scenarios:

• Scenario 1: Assigning new IP addresses to both Publisher and Subscriber.
• Scenario 2: Assigning a new IP address to the Subscriber while maintaining the existing Publisher IP

Steps for Scenario 1:

1. Build two new ClearPass instances (Publisher and Subscriber) with different IP addresses and firmware version 6.11.x or 6.12.x. Activate evaluation licenses, join the domain, form a cluster (Publisher + Subscriber), and test the AAA services on test end-user devices to ensure everything is functioning correctly.
2. On the day of migration, restore backups of the existing ClearPass instances, including certificates and configurations. Then, turn off the existing Publisher and Subscriber.

Steps for Scenario 2:

• I'm unsure how to proceed with this scenario due to potential IP conflicts between devices.

I would greatly appreciate detailed steps for both scenarios and any available migration documentation from the experts in the community.

Thanks in Advance