Hi Ric, how did you get on with this upgrade? Have to the same in the next couple of months.
Thanks.
Original Message:
Sent: Apr 19, 2023 05:04 PM
From: Ric
Subject: Clearpass 6.10 to 6.11 upgrade strategy
Yes, good point about the SAN's in the cert. I will have to reissue from our CA.
I will update this Post with my upgrade results in late Q2/Q3.
Thanks again.
Original Message:
Sent: Apr 19, 2023 03:36 PM
From: Jonas Hammarback
Subject: Clearpass 6.10 to 6.11 upgrade strategy
Hi Ric
Changing the IP of any ClearPass server running version 6.8+ also require updating the database certificate with the new IP address
It should be added to the SAN field in the format DNS:10.11.12.13
From version 6.11.x the update of the database certificate is done automatically. I don't remember if it's in 6.11.0 or one of the later versions this feature is introduced. Check the release notes.
The update may take "some time". I tried on a lab server but didn't wait long enough. I suppose 10-15 minutes may be a reasonable time to wait.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Apr 19, 2023 02:17 PM
From: Ric
Subject: Clearpass 6.10 to 6.11 upgrade strategy
Hi Jonas:<o:p></o:p>
Thanks for your comments.<o:p></o:p>
We have 1 Pub and 2 Subs. One of the Subs is our Standby Pub (automatic failover disabled). All our Clearpass servers are in the same zone and cluster and are available from any subnet that requires NAC.<o:p></o:p>
I like your thoughts regarding using one of the Subs. I will give it ago in the lab.<o:p></o:p>
I am also thinking I can build a new Pub with new IP. This would allow me to validate with some test switches. Assuming everything is functional for Production, I could reconfigure the IP to the original in appadmin and reboot. Something I have never done in a Clearpass environment. Any issues with re-addressing a Publisher that you might have run into? <o:p></o:p>
<o:p> </o:p>
Thanks<o:p></o:p>
Ric<o:p></o:p>
Original Message:
Sent: Apr 19, 2023 12:26 PM
From: jonas.hammarback
Subject: Clearpass 6.10 to 6.11 upgrade strategy
Hi Ric
How many servers do you have in your cluster? You wrote "Subscribers", so I assume you have more than two.
Depending on how you have the redundancy configured both between the ClearPass servers and the configuration on the network infrastructure there are several possible strategies to select.
One way I have done the migration to 6.11 in a few environments is to start with one of the subscribers. Move VIP addresses from that node, drop it from the cluster.
If you have more that two nodes on the same site you are still redundant, or maybe you have subscribers spread over several sites.
But by starting with one of the subscribers, the Publisher is still available for guest registrations and configuration changes. But I recommend minimizing any configuration changes during the process to migrate to 6.11.
Installing the first server with 6.11, restore configuration and other databases according to the given guidelines from Aruba is quite fast, if you don't have very large databases. In this case it may take some time.<o:p></o:p>
At this stage you have one 6.10 Publisher and one 6.11 Publisher.
When you have the first server up and running you can do verifications with some test switches and AP/controllers by configure them with this specific server IP as Radius server.
If you have multiple subscribers on the site, drop one more from the 6.10 cluster, reinstall with 6.11 and make it a subscriber to the first 6.11 server.
Move the VIP addresses when you have the redundancy and capacity needed in the 6.11 cluster. Continue with the rest of the servers.
Before you start you migration verify that you have active support agreements on all serial numbers for physical servers and all PAK licenses for virtual servers. Open a ticket with Aruba TAC and verify that they have the same information in their backend systems. ClearPass 6.11 have a check for active support agreement to be able to download updates from the Software Updates page.
If you have had an RMA it's a risk that the new serial number hasn't been added to the support agreement and the old one is still connected.
If you have the option to do some restores in a lab environment I suggest you do a practise run first.<o:p></o:p>
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Apr 18, 2023 03:15 PM
From: Ric
Subject: Clearpass 6.10 to 6.11 upgrade strategy
Dear Community:<o:p></o:p>
<o:p> </o:p>I am about the embark on the Clearpass 6.10 to 6.11 upgrade. This upgrade requires a fresh installation of Clearpass. I have been thinking about a strategy that will not require a service outage. As we are 24 hour operation, maintenance windows are not available.<o:p></o:p>
My thoughts are:<o:p></o:p>
- After all the applicable backups are done, shutdown the existing 6.10 Publisher. This will force traffic to the 6.10 Subscribers.<o:p></o:p>
- Build the new 6.11 server with the same IP and VIP as the existing Publisher. (Failover to standby Pub is disabled)<o:p></o:p>
- Restore the backups from the 6.10 server to the new 6.11 server.<o:p></o:p>
- Assuming all is well with the new 6.11 Publisher, shutdown the Subscribers and build new ones.<o:p></o:p>
My concerns are:<o:p></o:p>
- What happens to the Subs and/or the Clearpass clients (802.1x, MAC, TACACS, etc) during the time when the new 6.11 server (prior or during the 6.10 backup restoration) has the same IP and VIP as the old 6.10 server?
<o:p></o:p>
Any other suggestions are most welcome.<o:p></o:p>
Thanks<o:p></o:p>
Ric<o:p></o:p>