Security

 View Only
  • 1.  Clearpass upgrade from HARDWARE appliance to 6.11 VM

    Posted Mar 02, 2023 07:22 AM

    hi Airheads ,

    i have a customer with 2 x HARDWARE Clearpass appliances running 6.8.9.120997 code.

    They know they have to go 6.11 VM.

    Anyone done this or got experience of this ?

    cheers

    Peter



  • 2.  RE: Clearpass upgrade from HARDWARE appliance to 6.11 VM

    Posted Mar 02, 2023 08:54 AM
    Edited by afedeli Mar 02, 2023 08:56 AM

    Hi,

    there is a lot of documentation about that, anyway my suggestion is to upgrade to 6.10, take a backup of the existing HW databases, licenses and certificates , set up the VM and import the backup into the new 6.11.

    As a reference:

    https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Cluster%20Upgrade/Cluster_Upgrade/Moving_to_CPPM_6.11.htm

    https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-VersionConsiderations.htm



  • 3.  RE: Clearpass upgrade from HARDWARE appliance to 6.11 VM

    Posted Mar 02, 2023 10:24 AM

    Hi Peter

    I have done a few C1000 hardware appliances and also some VM servers. Will do both C2010 and C3010 later, but not in the near future.

    Some installations have been very smooth, and some have had som issues.

    First issue have been to boot and install the 6.11 image. There is a known issue when deploying 6.11 from USB stick on some C1000 mashines.

    From the machines I have seen, six so far, older hardware works fine. I have only run on quite old and really new hardwares. But on the newer I have got problems that the machine boots on the USB stick but can't find the disk in the server after selecting to install the image on C1000 hardware.

    Installation from DVD may solve the issue and we successfully installed from DVD on one server. But I have a TAC case to resolve another machine where both USB stick and DVD are failing to find the disk in the server.

    A link to my Airheads thread about the issue:
    https://community.arubanetworks.com/discussion/error-during-611-installation-on-c1000#bmf61b03ec-45dc-472f-bbd1-d0d55c633013

    Second issue is related to the new check of active support agreement introduced in ClearPass 6.11.

    You need to have an active support agreement for eash serial number you plan to install 6.11 on. If you have done an RMA and replaced the original hardware, it's a pretty good chance that the new serial number isn't connected to your support agreement in the background at Aruba.

    You can also get issues to download the updates the first 24 hours due to some back end sync of information after generating the token to download updates in ClearPass.

    If you are running in an air gap environment, I haven't seen instructions on how to install the updates.

    A new boot image may be on it's way to solve the above issues, both with the problem to find the disk and also installing 6.11.2 so no need to update after installation. 6.11.2 have not been released yet to the ASP portal, but I saw it in the download list on a 6.11 server today.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 4.  RE: Clearpass upgrade from HARDWARE appliance to 6.11 VM

    Posted Mar 02, 2023 10:35 AM

    hi Jonas,

    Thanks for getting back.

    my customer has 2 x hardware Clearpass appliance which they are getting rid of because they want to got to 6.11 Virtual Machine.

    cheers

    pete

    p.s. i would like to know are there any issues going through this process ? For example taking backup and licencing




  • 5.  RE: Clearpass upgrade from HARDWARE appliance to 6.11 VM
    Best Answer

    Posted Mar 02, 2023 11:07 AM

    Hi Peter

    The process on VM is easy, and I have not seen any other issues than the issue with the update download. The support agreement is the same where I would recommend to check with Aruba if there are valid support agreements connected to the licenses before installing.

    Did one installation for a customer today. They where on 6.8.x but I installed a temporary 6.10.8 server just to be able to do a restore to this machine and then take a backup from a supported version and do the restore in the 6.11 server.

    One benefit for your customer is that they can keep the hardware server during the installation and configuration of the new servers. Giving time to resolve any issues with the support agreement.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: Clearpass upgrade from HARDWARE appliance to 6.11 VM

    Posted Mar 02, 2023 11:40 AM

    thanks again,

    so if i have a customer on 6.8 or 6.9.

    Upgrade to 6.10 take a backup, licences, certs etc. and restore to a new 6.11 VM ?

    Cheers

    peter

     




  • 7.  RE: Clearpass upgrade from HARDWARE appliance to 6.11 VM

    Posted Mar 02, 2023 12:41 PM

    Hi

    From 6.8 or earlier you either need to follow the recommened upgrade path, or use temporary servers to restore your backups to. Migration from 6.9.12 or later is supported as well as all 6.10 versions.

    As some server and settings are not included in the backup, they are not restored on the new 6.11 server.

    This includes all settings found under the server object like IP settings, domain join, ACL hardening, service specific settings like proxy server, Interim accounting, SNMP settings etc.
    Settings under Cluster Wide Parameters are included in configuration backup and restore.

    Read the installation instructions carefully, if possible, do the first restore in a lab environment. If you have large Session and Insight backups to restore, plan for a longer service window.

    In short (from the top of my head):

    • Backup
    • Document licenses, server settings etc
    • Export certificates
    • Install 6.11
    • Run initial configuration
    • Add PAK license and other licenses
    • Activate licenses
    • Add CA certificates to the trust list
    • Add certificates
    • Update to latest patch release
    • Restore config backup
    • Restore session and insight if required
    • Manual configuration of server settings
    • Domain join (Only needed for PEAP)
    • Cluster if multiple servers



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------