Security

 View Only
  • 1.  Clearpass migration hardware and software migration

    Posted Mar 07, 2025 12:24 PM

    I need to upgrade a Clearpass cluster based on C3000 (DL360 Gen9) to new N3000 1G hardware appliances. This includes changing the software version from 6.10.to 6.12. From the docs I already learned that an upgrade from 6.10 to 6.12 is a two-step process. I also saw that the minimum requirement of the new N3000 1G is 6.11. 
    From some testing I did in a lab I learned that Active Directory does not really work out of the gate when doing a configuration restore, some of the questions I have is:

    • Is there a recommended order for migrating (start with publisher or the opposite start with subscribers)?
    • Can you even run different software versions together?
    • When moving hardware and software is it better to build policies from scratch or can I rely on the backup configuration?
    • The end state is 6.12 but when migrating, should I thoroughly test functionality on 6.11 before moving to 6.12?
    • What are some known features that do not work when restoring the configuration? 

    Thanks in advance,



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------


  • 2.  RE: Clearpass migration hardware and software migration

    Posted Mar 07, 2025 02:23 PM
    • Migrating to 6.11 and higher requires a fresh install. Please also check the installation guide
    • N1000 is support since 6.11 release
    • Restore 6.10 config on 6.12 machine is not possible. You first need to install 6.11 and then upgrade to 6.12
    • You need to rebuild the cluster. Because you have new appliances you can build the new cluster and restore the 6.10 config on the new 6.11 cluster
    • Running different software together is fine but they will not form one cluster
    • Definitely restore the configuration. It's not needed to redo the configuration. You can rely on the backup
    • Always test the functionality off course but the process is solid 
    • Yes you need to join the server to AD (only if you use MSCHAPv2 / EAP-PEAP which is not recommended)

    Upgrade path:

    • Build new cluster with the N1000 nodes on 6.11 and install latest 6.11 patch
      • Join the servers to the AD
    • Update current 6.10 cluster to latest 6.10 patch release
    • Backup 6.10 configuration
    • Restore configuration on new servers
    • Point RADIUS clients to new ClearPass cluster
      • Or add the old ClearPass IP's as a VIP to the new ClearPass cluster
      • Or change ClearPass server IPs (not my preferred option)


    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------



  • 3.  RE: Clearpass migration hardware and software migration

    Posted Mar 09, 2025 03:56 PM

    Thank you very much for the detailed response, I think I can figure this out. At least I understand that I need to test twice, both on 6.11 and 6.12. I will familiarize myself further with the documents shared.



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------