Thank you very much for the detailed response, I think I can figure this out. At least I understand that I need to test twice, both on 6.11 and 6.12. I will familiarize myself further with the documents shared.
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
------------------------------
Original Message:
Sent: Mar 07, 2025 02:23 PM
From: willembargeman
Subject: Clearpass migration hardware and software migration
- Migrating to 6.11 and higher requires a fresh install. Please also check the installation guide
- N1000 is support since 6.11 release
- Restore 6.10 config on 6.12 machine is not possible. You first need to install 6.11 and then upgrade to 6.12
- You need to rebuild the cluster. Because you have new appliances you can build the new cluster and restore the 6.10 config on the new 6.11 cluster
- Running different software together is fine but they will not form one cluster
- Definitely restore the configuration. It's not needed to redo the configuration. You can rely on the backup
- Always test the functionality off course but the process is solid
- Yes you need to join the server to AD (only if you use MSCHAPv2 / EAP-PEAP which is not recommended)
Upgrade path:
- Build new cluster with the N1000 nodes on 6.11 and install latest 6.11 patch
- Join the servers to the AD
- Update current 6.10 cluster to latest 6.10 patch release
- Backup 6.10 configuration
- Restore configuration on new servers
- Point RADIUS clients to new ClearPass cluster
- Or add the old ClearPass IP's as a VIP to the new ClearPass cluster
- Or change ClearPass server IPs (not my preferred option)
------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125
Original Message:
Sent: Mar 07, 2025 12:24 PM
From: mvanoverbeek
Subject: Clearpass migration hardware and software migration
I need to upgrade a Clearpass cluster based on C3000 (DL360 Gen9) to new N3000 1G hardware appliances. This includes changing the software version from 6.10.to 6.12. From the docs I already learned that an upgrade from 6.10 to 6.12 is a two-step process. I also saw that the minimum requirement of the new N3000 1G is 6.11.
From some testing I did in a lab I learned that Active Directory does not really work out of the gate when doing a configuration restore, some of the questions I have is:
- Is there a recommended order for migrating (start with publisher or the opposite start with subscribers)?
- Can you even run different software versions together?
- When moving hardware and software is it better to build policies from scratch or can I rely on the backup configuration?
- The end state is 6.12 but when migrating, should I thoroughly test functionality on 6.11 before moving to 6.12?
- What are some known features that do not work when restoring the configuration?
Thanks in advance,
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
------------------------------