Security

 View Only
last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass firmware upgrade

This thread has been viewed 27 times
  • 1.  Clearpass firmware upgrade

    Posted Aug 21, 2024 08:57 PM

    i received notification for CVE in clearpass firmware.

    currently i am on 6.10.xx, what is the latest stable version that i should upgrade to?

    1 have a 2 node cluster, pubublisher/subsriber.

    what is the correct procedure to upgade the clearpass?



  • 2.  RE: Clearpass firmware upgrade

    Posted Aug 21, 2024 10:04 PM

    6.10 is End of Support. you can upgrade to 6.11 but you have to build/reinstall 6.11 from scratch. read the below techdoc. please talk to your HPE-Aruba Partner/Local SE for further assistance.

    https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Cluster%20Upgrade/Cluster_Upgrade/Moving_to_CPPM_6.11.htm?Highlight=5433



    ------------------------------
    Harendra
    ACEX165
    ------------------------------



  • 3.  RE: Clearpass firmware upgrade

    Posted Aug 22, 2024 04:29 AM

    Hi, I am planning  a upgrade and wondering if anyone has the answer to below question ?  Thanks

    Our hardware based Clearpass Cluster (one publisher and one subscriber) is currently doing SAML service provider (SP) function. Does Clearpass SP Metadate needs to be reloaded into Identify provider (IDP) end in order to get SSO auth working when we are upgrading from 6.10.8 to 6.11.9 ?  
    In this case, what will be the best approach of upgrade to minimize downtime ? 




  • 4.  RE: Clearpass firmware upgrade

    Posted Aug 22, 2024 06:10 AM

    Hi

    I haven't done any upgrades where ClearPass is the SAML SP, but as you restore the same configuration and the same certificates to the ClearPass 6.11 servers I assume that the IDP would see it as the same host.

    Start the upgrade on the subscriber, this way you will be able to manage the 6.10 server and have the two versions running in parallell and do verifications.

    Do you have a VIP address in the cluster for the SP traffic? In that case you just move the VIP from the 6.10 server to the 6.11 server.

    If you don't have a VIP maybe an update of the DNS record can change the active host. It dependes a bit on your setup.

    This quistion should maybe have been a separate topic to not mix different questions in the same thread.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Clearpass firmware upgrade

    MVP EXPERT
    Posted Aug 22, 2024 03:52 AM

    In short;

    1. Create a configuration backup and if its a virtual appliance a VMware snapshot 
    2. Update 6.10.xx to the latest version
    3. Create a configuration backup of the latest 6.10.x.x
    4. Install a new appliance with 6.11.1 (new publisher)
    5. Restore backup
    6. Import licences, see your https://networkingsupport.hpe.com/
    7. Import your certificates
    8. Install a second appliance with 6.11.1 (new subcriber)
    9. Join the new subsriber to the new publisher

    If your not familiair with this process ask a Aruba Certified Proffesional to assist you.

    See also more information here: https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Content/ReleaseNotes/Behaviors/Installation-6-11-x.htm

    Hope this helps

    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------