Security

 View Only
  • 1.  Clearpass 6.11 Upgrade from 6.10

    Posted Sep 02, 2024 12:41 AM

    Hi All,

    Below is the plan I am going to follow to upgrade Clerapass cluster from 6.10.8 to 6.11.9.   

    I decided to start upgrade from existing Subscriber first so 6.10.8 and 6.11 will be running in parallel, which help me to validate config side by side.


    Regarding step 6,  which backup config should be imported into new Publisher (ex-Subscriber)?  I tried both options in the lab and it seems importing backup config from ex-Subscriber to new Publisher took much less time and more smoothly.

    in addition, I don't believe DB cert needs to be imported into new Publisher / Subscriber as this self-assigned cert can be generated by new versions of CPPM automatically. 

    Not sure if anyone has had success upgrade procedure and willing to share.  Thanks 

    &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

               1)  2 CPPM appliances (One Publisher, one Subscriber) with existing version 6.10.8

               2)  Removes subscriber IP from VIP and drop Subscriber from Cluster

               3)  install  6.11.1 image onto this node  (ex-subscriber) and apply 6.11.9 update afterwards

    4)  Check FIPS mode and set correct time zone and NTP

    5)  Import Access license to this node

    6)  Restore backup config of existing Subscriber ( or Publisher) to this node, so it will become new Publish but with ex-subscriber IP address

    7)  Import all backup certificates, such as  HTTPS cert, Radius cert

              8)  Not sure if self-assigned DB cert is necessarily required to be imported as the new one generated by 6.11 also should work ?

              9)   Move VIP to this new Publisher and test all WiFi authentication to make sure it works as expected on the new Publisher 

             10)  install  6.11.1 image onto ex-Publisher and apply 6.11.9 update afterward

             11)  Check FIPS mode and set correct time zone and NTP

              12)  Import Access license to this node 

             13)  Import all backup certificates, such as HTTPS cert, Radius cert

             14)  No need to restore backup config to this node

            15)  Join this ex-Publisher to Cluster as new Subscriber



  • 2.  RE: Clearpass 6.11 Upgrade from 6.10

    Posted Sep 02, 2024 03:02 AM

    Hi

    It doesn't matter if you restore the backup from the publisher or the subscriber. It contains the same data.

    You are correct regarding the database certificate, you don't need to restore this as you have a new valid database certificate on the 6.11 instance.

    Regarding step 12, you have already imported and activated the Access license in the cluster in step 5.

    When the second server joins the cluster it will share the same Access license.

    If you have any Extensions installed, like Intune extension, this must be installed as well.

    Any configuration or hardening done under respective server object must be done manually. 



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass 6.11 Upgrade from 6.10

    Posted Sep 02, 2024 10:45 PM

    HI Jonas,

    Thanks for your reply. 

    Regarding extension installation, my understanding is that installed extension (Ivanti MDM, in this case) is included in the backup and it will also be imported into 6.11.9 as part of Restore process, so no extra download and installation is required. Is this correct ?

    In addition,  apart from 2 USB port at the back, C3010 appliance also has multiple USB ports at the front panel and one of them is labeled as "iLO". Not sure what the purpose is of this "iLO" USB port?  We are planning to upgrade via boot from USB dongle, and will there any difference selecting any of USB port?  Thanks






  • 4.  RE: Clearpass 6.11 Upgrade from 6.10

    Posted Sep 03, 2024 01:13 AM

    Hi

    I'm a bit unsure if the backup restore the installed extension or just the configuration for the extension.

    6.11 may have a later version of the extension than your current server.

    The iLO interface is the remote management interface on HPE servers. https://www.hpe.com/us/en/hpe-integrated-lights-out-ilo.html



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Clearpass 6.11 Upgrade from 6.10

    Posted Sep 04, 2024 07:32 AM

    In the 6.10.x version, extensions are not backed up, you have to install them manually on each Cluster Member.
    There is also no selection option for this in the backup.

    In the 6.11.x version, extensions can be backed up:



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: Clearpass 6.11 Upgrade from 6.10

    Posted Sep 05, 2024 01:29 AM

    Hi Guys
    Thanks for your kind reply
    I tested this in the lab., For 6.10.X, installed extension will be backed up by default even this option is not shown. I restored the backup took from 6.10.8 to 6.11.9,  could see extension was restored successfully>