Security

 View Only
  • 1.  Clearpass 6.10 to 6.11 upgrade strategy

    Posted Apr 19, 2023 09:30 AM

    Dear Community:

    I am about the embark on the Clearpass 6.10 to 6.11 upgrade. This upgrade requires a fresh installation of Clearpass. I have been thinking about a strategy that will not require a service outage. As we are 24 hour operation, maintenance windows are not available.

    My thoughts are:

    -          After all the applicable backups are done, shutdown the existing 6.10 Publisher. This will force traffic to the 6.10 Subscribers.

    -          Build the new 6.11 server with the same IP and VIP as the existing Publisher. (Failover to standby Pub is disabled)

    -          Restore the backups from the 6.10 server to the new 6.11 server.

    -          Assuming all is well with the new 6.11 Publisher, shutdown the Subscribers and build new ones.

    My concerns are:

        •     What happens to the Subs and/or the Clearpass clients (802.1x, MAC, TACACS, etc) during the time when the new 6.11 server (prior or during the 6.10 backup restoration) has the same IP and VIP as the old 6.10 server?

    Any other suggestions are most welcome.

    Thanks

    Ric



  • 2.  RE: Clearpass 6.10 to 6.11 upgrade strategy

    Posted Apr 19, 2023 12:27 PM

    Hi Ric

    How many servers do you have in your cluster? You wrote "Subscribers", so I assume you have more than two.
    Depending on how you have the redundancy configured both between the ClearPass servers and the configuration on the network infrastructure there are several possible strategies to select.

    One way I have done the migration to 6.11 in a few environments is to start with one of the subscribers. Move VIP addresses from that node, drop it from the cluster.
    If you have more that two nodes on the same site you are still redundant, or maybe you have subscribers spread over several sites.
    But by starting with one of the subscribers, the Publisher is still available for guest registrations and configuration changes. But I recommend minimizing any configuration changes during the process to migrate to 6.11.

    Installing the first server with 6.11, restore configuration and other databases according to the given guidelines from Aruba is quite fast, if you don't have very large databases. In this case it may take some time.

    At this stage you have one 6.10 Publisher and one 6.11 Publisher.

    When you have the first server up and running you can do verifications with some test switches and AP/controllers by configure them with this specific server IP as Radius server.
    If you have multiple subscribers on the site, drop one more from the 6.10 cluster, reinstall with 6.11 and make it a subscriber to the first 6.11 server.
    Move the VIP addresses when you have the redundancy and capacity needed in the 6.11 cluster. Continue with the rest of the servers.

    Before you start you migration verify that you have active support agreements on all serial numbers for physical servers and all PAK licenses for virtual servers. Open a ticket with Aruba TAC and verify that they have the same information in their backend systems. ClearPass 6.11 have a check for active support agreement to be able to download updates from the Software Updates page.
    If you have had an RMA it's a risk that the new serial number hasn't been added to the support agreement and the old one is still connected.

    If you have the option to do some restores in a lab environment I suggest you do a practise run first.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass 6.10 to 6.11 upgrade strategy

    Posted Apr 19, 2023 02:17 PM

    Hi Jonas:

    Thanks for your comments.

    We have 1 Pub and 2 Subs. One of the Subs is our Standby Pub (automatic failover disabled). All our Clearpass servers are in the same zone and cluster and are available from any subnet that requires NAC.

    I like your thoughts regarding using one of the Subs. I will give it ago in the lab.

    I am also thinking  I can build a new Pub with new IP. This would allow me to validate with some test switches.   Assuming everything is functional for Production, I could reconfigure the IP to the original in appadmin and reboot. Something I have never done in a Clearpass environment.  Any issues with re-addressing a Publisher that you might have run into?

    Thanks

    Ric




  • 4.  RE: Clearpass 6.10 to 6.11 upgrade strategy

    Posted Apr 19, 2023 03:36 PM

    Hi Ric

    Changing the IP of any ClearPass server running version 6.8+ also require updating the database certificate with the new IP address 
    It should be added to the SAN field in the format DNS:10.11.12.13

    From version 6.11.x the update of the database certificate is done automatically. I don't remember if it's in 6.11.0 or one of the later versions this feature is introduced. Check the release notes.
    The update may take "some time". I tried on a lab server but didn't wait long enough. I suppose 10-15 minutes may be a reasonable time to wait.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Clearpass 6.10 to 6.11 upgrade strategy

    Posted Apr 19, 2023 05:04 PM

    Yes, good point about the SAN's in the cert. I will have to reissue from our CA.

    I will update this Post with my upgrade results in late Q2/Q3.

    Thanks again.




  • 6.  RE: Clearpass 6.10 to 6.11 upgrade strategy

    Posted Dec 13, 2023 09:03 AM

    Hi Ric, how did you get on with this upgrade? Have to the same in the next couple of months.

    Thanks.



    ------------------------------
    Nathan
    ------------------------------



  • 7.  RE: Clearpass 6.10 to 6.11 upgrade strategy

    Posted Jul 04, 2024 02:14 AM

    Here's the approach I'm considering for no outage:

    1. Build two new Clearpass C2000V VMs with different IPs and hostnames compared to the existing Clearpass VMs. (Publisher and one Subscriber)
    2. Restore backups of the existing Clearpass VMs, including certificates and configurations.
    3. Shut down the publisher VM and reuse its IP address for the new publisher instance. (Note: VIP is not configured in existing setup)
    4. Once the new publisher is up and running, shut down the subscriber VM and reuse its IP address and hostname for the new subscriber instance.
    5. Join both new VMs to the domain.

    is this correct approach?




  • 8.  RE: Clearpass 6.10 to 6.11 upgrade strategy

    Posted Jul 04, 2024 05:52 AM
    Edited by NHN Jul 04, 2024 05:55 AM

    You can follow below steps

    1. Build two new clearpass instances, Publisher, Subscriber with different IP addresses
    2. activate evaluation licenses
    3. Restore backups of the existing clearpass, including certificates and configurations.export the certificate from existing clearpass and import the same
    4. Build the cluster. no VIP at this stage
    5. Domain join, and all other integrations.
    6. validate the authentication using a single switch or temporary wlan (optional)
    7. Open a TAC case to transfer the licenses from existing cluster

     Cut over - require a small outage window

    if you have VIP in existing setup

    8. disable the VIP IP in existing cluster

    9. configure the same VIP IP in new cluster

    No VIP in existing setup

    8. configure 2 VIP IP identical Publisher and Subscriber IP

    9. disable the network connectivity for existing cluster, both Publisher and Subscriber

    10. activate VIP IPs in new cluster.



    ------------------------------
    Harendra
    ACEX165
    ------------------------------