So my first bit of advice from having done this after being told that 6.11.2 is stable, then being told the 6.11.3 would be stable, is don't upgrade until at least 6.11.4 if at all possible. Lots of stuff is still broken, just had another issue today where 6.11.3 is broken for StartTLS LDAPS if the DC's have TLS 1.0 and TLS 1.1 disabled. Please check with your Aruba CSE before upgrading any ClearPass Hardware!
Otherwise here's some lessons learned:
1. Firmware on the HPE Servers was way out of date, looks like they shipped with something from 2018.
Despite being shipped in 2023 firmware is still on initial factor 2018
a. Firmware information / upgrade info is not included in the release notes
b. Server Firmware is login blocked which the customer ASP support login does not appear to allow access to so HPE server support may be required.
https://support.hpe.com/connect/s/product?language=en_US&ismnp=0&l5oid=1010007891&cep=on&kmpmoid=1010093150&tab=driversAndSoftware&driversAndSoftwareFilter=8000029&environmentType=2200021
2. 2. Enable UFEI in the iLo (documented in release notes Ref: https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Default.htm#UpgradeUpdate/Up-Installing-ISO-6-11.htm?TocPath=Installing%2520ClearPass%25206.11%257C_____4))
a. If iLo is not available upgrade via F9 menu
3.3. Enable TPM via Console Using F9 (documented in release notes Ref: https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Default.htm#UpgradeUpdate/Up-Installing-ISO-6-11.htm?TocPath=Installing%2520ClearPass%25206.11%257C_____4))
4.4. RADIUS dictionary attributes don't appear to come over
a. Any RADIUS dictionary that has space or . character will need to be exported and readded without those characters as the RADIUS service won't restart
i. ClearPass 6.9 and 6.10 allowed Special characters in the RADIUS dictionaries, 6.11 does not. The import will happen successfully, but RADIUS service will not start
ii. Event viewer has a good log to point in the right direction of which RADIUS dictionary is causing the issues
5.5. If you load 6.11.0 and not 6.11.1 Upgrading by locally uploading the patch file DOES NOT WORK! If you loaded 6.11.0 and not 6.11.1 start over.
6.6. ASP login is not the login used for the new token generation, the Token Generate page doesn't show this or a forgot password link use the HPE login below to resolve.
a. HPE login WebSphere site:
i. Confirm user credentials work on: https://cf-passport.it.hpe.com/hppcf/login.do
1. If credentials don't work reset password
2. After resetting also reset the ASP user/pass so that they are both in sync
7. 7, Activate Licenses may not work
a. Have Aruba TAC case reset the activation count before starting the upgrade process
b. If you loaded 6.11.1, you can locally upload the 6.11.3 patch, but the Activate/Software may still not work.
c. There is a script that can be run to get around this that TAC has to get around this.
i. TAC has to log in and go through support to generate the OTP to get to the RHEL bash/sh shell
ii. Then update the /usr/local/avenda/platform/bin/platform-cli/do-update.sh file
8.8. Support does not show as available / linked to account even when in ASP it shows active support and SAID
a. Example:
i. Customer was within the first year of purchasing 3 3010 servers 10k Access, 5k OnGuard with 5 years support
ii. Support was shown as active in ASP Support section with SAID of the hardware serial numbers that were being upgraded
1. Valid SN's and Software support shown
2. Valid expiration for 2027 shown
3. Same ASP account used use with LMS and ASP all showing the Licenses and Support
iii. ClearPass Publisher eventually showed but the subscribers did not.
1. Aruba TAC via CLI were able to trigger additional web calls to get the publisher to show as having support
b. Aruba TAC case will have to be created to re-link on the back end
i. Open Aruba TAC support case before beginning the upgrade process to have the engineer ready for the upgrade
9. 9. Certificates do not come over with the configuration (Documented in release notes, but also confirmed)
a. This is documented, but confirmed even when restore node information is selected
i. Be sure to disable ECC if using a public CA for HTTPS cert
10. AD rejoin required (Documented but also confirmed)
Original Message:
Sent: May 23, 2023 03:38 AM
From: peter.elms
Subject: Clearpass upgrade of HARDWARE appliance to 6.11.2
thanks for your reply,
i appreciate you taking the time however what i'm really after is an engineer who's actually done a hardware appliance upgrade and any helpful hints
from their experience of it. We have a very large university campus to upgrade.
cheers
Pete
Original Message:
Sent: May 19, 2023 08:25 AM
From: ahollifield
Subject: Clearpass upgrade of HARDWARE appliance to 6.11.2
Yeah but if you have two servers just upgrade one, fully test, then upgrade the other. If there is a VIP between these two, then just move the VIP accordingly.
Original Message:
Sent: May 19, 2023 08:21 AM
From: peter.elms
Subject: Clearpass upgrade of HARDWARE appliance to 6.11.2
thank you for your response.
i forgot to mention that we were going to go for 6.11 patch 3.
The customer has 2 x C3010 hardware appliances in a cluster.
we were planning to do Publisher first then Subscriber.
However do you have experience of a hardware appliance upgrade ?
The bit that concerns me is NOT being able to roll back.
regards
Peter
Original Message:
Sent: May 19, 2023 07:45 AM
From: ahollifield
Subject: Clearpass upgrade of HARDWARE appliance to 6.11.2
I'm not sure you can. There is no ISO file for 6.10. Do have multiple ClearPass servers for HA? Also you should upgrade to 6.11 patch 3 not patch 2.
Original Message:
Sent: May 19, 2023 03:14 AM
From: peter.elms
Subject: Clearpass upgrade of HARDWARE appliance to 6.11.2
hi Airheads,
anyone done a C3010 Clearpass hardware appliance upgrade to 6.11 ?
i've seen Herman's posts about flashing a USB stick and all looks good.
However i was wondering if for some reason we had to revert back to the old system (for example go back to the 6.10)
How easy is this process ?
regards
Pete