Security

 View Only
  • 1.  Clearpass 6.11 version upgrade - VM Migration from 6.10

    Posted Oct 12, 2023 10:07 AM

    Hi All,

    Please let me know if there are any issues reported with 6.11.5 version post upgrade.

    Anyone who has upgraded to 6.11 version, please share the experience and the issues you've faced while upgrading/Migration.



  • 2.  RE: Clearpass 6.11 version upgrade - VM Migration from 6.10

    Posted Oct 12, 2023 10:24 AM

    Hi

    I have only installed 6.11.5 on two C1000 hardware servers so far. No issues during the installation, but on the other hand these two servers are under deployment for a new customer and we are not in production yet.

    On all other customers running 6.11 I have learned the following:

    • You need an active support agreement
    • Very important that the hardware serial number, the license numbers and the support agreements are registered in the ASP site. Otherwise updates will fail
    • Installation on physical servers sometimes fails from USB stick, creating a new stick has solved the issue with the 6.11.1 image. 
    • The first 6.11.0 couldn't be installed on hardware from USB under some conditions, needed DVD
    • ClearPass 6.11 introduce TLS 1.3 and in TLS 1.3 a new algorithm is introduced PSS-RSA. Some older computers have a bug in the TPM chip related to this algorithm causing them to fail authentication. Only occur during EAP-TLS and the client certificate is stored in a TPM chip affected by the bug.
      Read more in my blog post: https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/
    • Migration of data from earlier versions hasn't been any problems

    If you follow the instructions provided by Aruba the process is quite straight forward. 



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass 6.11 version upgrade - VM Migration from 6.10

    Posted Oct 16, 2023 09:13 AM

    I installed patch 5 on 1 Lab C1000 VM. I later saw issues toward the end of a TAC Call. I tried reverting & the VM appeared to be reset.

    I ended up setting up a new Lab VM and updated it to Patch 4.It has been working well on patch 4..



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 4.  RE: Clearpass 6.11 version upgrade - VM Migration from 6.10

    Posted Oct 16, 2023 09:16 AM

    What sort of issues did you see in 6.11.5?  I have been running it in my lab cluster for over a week and haven't seen any noticeable differences over 6.11.4.




  • 5.  RE: Clearpass 6.11 version upgrade - VM Migration from 6.10

    Posted Oct 16, 2023 09:24 AM

    During a Zoom interactive session. we were troubleshooting some Azure source authorization issues with a test client. Toward the end of the session, we stopped seeing the authentication attempts in Access Tracker. I reied troubleshooting afterwards and everything else looked OK. 

    After setting up a new VM with 6.11.4, things have been running fie during my tests. I am configuring a greenfield build in preparation for moving from 6.9.13 or later to 6.11. That last time we did a greenfield configuration was moving from CPPM 5.11 to CPPM 6.2.x. configurations can gather lots of old cr*p over time.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 6.  RE: Clearpass 6.11 version upgrade - VM Migration from 6.10

    Posted Oct 16, 2023 11:25 AM

    If you stop seeing authentication attemps in Access Tracker when troubleshooting an Azure AD Authorization Source, make sure that you have the Azure AD Authorization source under Authorization Sources, and not under Authentication source. If you list it as Authentication source, you won't see authentications coming in. This is supposed to get fixed, but 'known behavior' at least in earlier 6.11 versions.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Clearpass 6.11 version upgrade - VM Migration from 6.10

    Posted Oct 16, 2023 11:31 AM

    I am WELL aware of that and have the default Azure source working. My current issue is with a copy of the source using Certificate::Subject-CN as input so we can do the recommended standard TLS with anonymous outer ID. Azure AD returns "Bad Request" which indicates a CPPM bug.

    TAC has veeb unable to determine exactly what encrypted request content is being sent to the Microsoft Graph API..



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------