Original Message:
Sent: Sep 04, 2024 07:32 AM
From: lord
Subject: Clearpass 6.11 Upgrade from 6.10
In the 6.10.x version, extensions are not backed up, you have to install them manually on each Cluster Member.
There is also no selection option for this in the backup.
In the 6.11.x version, extensions can be backed up:
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Sep 03, 2024 01:13 AM
From: jonas.hammarback
Subject: Clearpass 6.11 Upgrade from 6.10
Hi
I'm a bit unsure if the backup restore the installed extension or just the configuration for the extension.
6.11 may have a later version of the extension than your current server.
The iLO interface is the remote management interface on HPE servers. https://www.hpe.com/us/en/hpe-integrated-lights-out-ilo.html
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Sep 02, 2024 10:45 PM
From: Charles.Zhuang
Subject: Clearpass 6.11 Upgrade from 6.10
HI Jonas,
Thanks for your reply.
Regarding extension installation, my understanding is that installed extension (Ivanti MDM, in this case) is included in the backup and it will also be imported into 6.11.9 as part of Restore process, so no extra download and installation is required. Is this correct ?
In addition, apart from 2 USB port at the back, C3010 appliance also has multiple USB ports at the front panel and one of them is labeled as "iLO". Not sure what the purpose is of this "iLO" USB port? We are planning to upgrade via boot from USB dongle, and will there any difference selecting any of USB port? Thanks
Original Message:
Sent: Sep 02, 2024 03:01 AM
From: jonas.hammarback
Subject: Clearpass 6.11 Upgrade from 6.10
Hi
It doesn't matter if you restore the backup from the publisher or the subscriber. It contains the same data.
You are correct regarding the database certificate, you don't need to restore this as you have a new valid database certificate on the 6.11 instance.
Regarding step 12, you have already imported and activated the Access license in the cluster in step 5.
When the second server joins the cluster it will share the same Access license.
If you have any Extensions installed, like Intune extension, this must be installed as well.
Any configuration or hardening done under respective server object must be done manually.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Sep 02, 2024 12:40 AM
From: Charles.Zhuang
Subject: Clearpass 6.11 Upgrade from 6.10
Hi All,
Below is the plan I am going to follow to upgrade Clerapass cluster from 6.10.8 to 6.11.9.
I decided to start upgrade from existing Subscriber first so 6.10.8 and 6.11 will be running in parallel, which help me to validate config side by side.
Regarding step 6, which backup config should be imported into new Publisher (ex-Subscriber)? I tried both options in the lab and it seems importing backup config from ex-Subscriber to new Publisher took much less time and more smoothly.
in addition, I don't believe DB cert needs to be imported into new Publisher / Subscriber as this self-assigned cert can be generated by new versions of CPPM automatically.
Not sure if anyone has had success upgrade procedure and willing to share. Thanks
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
1) 2 CPPM appliances (One Publisher, one Subscriber) with existing version 6.10.8
2) Removes subscriber IP from VIP and drop Subscriber from Cluster
3) install 6.11.1 image onto this node (ex-subscriber) and apply 6.11.9 update afterwards
4) Check FIPS mode and set correct time zone and NTP
5) Import Access license to this node
6) Restore backup config of existing Subscriber ( or Publisher) to this node, so it will become new Publish but with ex-subscriber IP address
7) Import all backup certificates, such as HTTPS cert, Radius cert
8) Not sure if self-assigned DB cert is necessarily required to be imported as the new one generated by 6.11 also should work ?
9) Move VIP to this new Publisher and test all WiFi authentication to make sure it works as expected on the new Publisher
10) install 6.11.1 image onto ex-Publisher and apply 6.11.9 update afterward
11) Check FIPS mode and set correct time zone and NTP
12) Import Access license to this node
13) Import all backup certificates, such as HTTPS cert, Radius cert
14) No need to restore backup config to this node
15) Join this ex-Publisher to Cluster as new Subscriber