Security

 View Only
last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass upgrade of HARDWARE appliance to 6.11.2

This thread has been viewed 48 times
  • 1.  Clearpass upgrade of HARDWARE appliance to 6.11.2

    Posted May 19, 2023 03:15 AM

    hi Airheads,
    anyone done a C3010 Clearpass hardware appliance upgrade to 6.11 ?
    i've seen Herman's posts about flashing a USB stick and all looks good.
    However i was wondering if for some reason we had to revert back to the old system (for example go back to the 6.10)
    How easy is this process ?
    regards
    Pete



  • 2.  RE: Clearpass upgrade of HARDWARE appliance to 6.11.2

    Posted May 19, 2023 07:45 AM

    I'm not sure you can.  There is no ISO file for 6.10.  Do have multiple ClearPass servers for HA?  Also you should upgrade to 6.11 patch 3 not patch 2.




  • 3.  RE: Clearpass upgrade of HARDWARE appliance to 6.11.2

    Posted May 19, 2023 08:22 AM

    thank you for your response.
    i forgot to mention that we were going to go for 6.11 patch 3.
    The customer has 2 x C3010 hardware appliances in a cluster.
    we were planning to do Publisher first then Subscriber.
    However do you have experience of a hardware appliance upgrade ?
    The bit that concerns me is NOT being able to roll back.
    regards
    Peter




  • 4.  RE: Clearpass upgrade of HARDWARE appliance to 6.11.2

    Posted May 19, 2023 08:26 AM

    Yeah but if you have two servers just upgrade one, fully test, then upgrade the other.  If there is a VIP between these two, then just move the VIP accordingly.




  • 5.  RE: Clearpass upgrade of HARDWARE appliance to 6.11.2

    Posted May 23, 2023 03:38 AM

    thanks for your reply,
    i appreciate you taking the time however what i'm really after is an engineer who's actually done a hardware appliance upgrade and any helpful hints
    from their experience of it. We have a very large university campus to upgrade.
    cheers
    Pete




  • 6.  RE: Clearpass upgrade of HARDWARE appliance to 6.11.2

    Posted May 25, 2023 01:06 PM

    So my first bit of advice from having done this after being told that 6.11.2 is stable, then being told the 6.11.3 would be stable, is don't upgrade until at least 6.11.4 if at all possible. Lots of stuff is still broken, just had another issue today where 6.11.3 is broken for StartTLS LDAPS if the DC's have TLS 1.0 and TLS 1.1 disabled. Please check with your Aruba CSE before upgrading any ClearPass Hardware! 


    Otherwise here's some lessons learned:

    1.       Firmware on the HPE Servers was way out of date, looks like they shipped with something from 2018. 

    Despite being shipped in 2023 firmware is still on initial factor 2018

    a.       Firmware information / upgrade info is not included in the release notes

    b.       Server Firmware is login blocked which the customer ASP support login does not appear to allow access to so HPE server support may be required.

    https://support.hpe.com/connect/s/product?language=en_US&ismnp=0&l5oid=1010007891&cep=on&kmpmoid=1010093150&tab=driversAndSoftware&driversAndSoftwareFilter=8000029&environmentType=2200021

    2. 2.       Enable UFEI in the iLo (documented in release notes Ref: https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Default.htm#UpgradeUpdate/Up-Installing-ISO-6-11.htm?TocPath=Installing%2520ClearPass%25206.11%257C_____4))

    a.       If iLo is not available upgrade via F9 menu

    3.3.       Enable TPM via Console Using F9 (documented in release notes Ref: https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Default.htm#UpgradeUpdate/Up-Installing-ISO-6-11.htm?TocPath=Installing%2520ClearPass%25206.11%257C_____4))

    4.4.       RADIUS dictionary attributes don't appear to come over

    a.       Any RADIUS dictionary that has space or . character will need to be exported and readded without those characters as the RADIUS service won't restart

                                                                   i.      ClearPass 6.9 and 6.10 allowed Special characters in the RADIUS dictionaries, 6.11 does not. The import will happen successfully, but RADIUS service will not start

                                                                 ii.      Event viewer has a good log to point in the right direction of which RADIUS dictionary is causing the issues

    5.5.       If you load 6.11.0 and not 6.11.1 Upgrading by locally uploading the patch file DOES NOT WORK! If you loaded 6.11.0 and not 6.11.1 start over.

    6.6.       ASP login is not the login used for the new token generation, the Token Generate page doesn't show this or a forgot password link use the HPE login below to resolve.

    a.       HPE login WebSphere site:

                                                                   i.      Confirm user credentials work on: https://cf-passport.it.hpe.com/hppcf/login.do

    1.       If credentials don't work reset password

    2.       After resetting also reset the ASP user/pass so that they are both in sync

    7.   7,    Activate Licenses may not work

    a.       Have Aruba TAC case reset the activation count before starting the upgrade process

    b.       If you loaded 6.11.1, you can locally upload the 6.11.3 patch, but the Activate/Software may still not work.

    c.       There is a script that can be run to get around this that TAC has to get around this.

                                                                   i.      TAC has to log in and go through support to generate the OTP to get to the RHEL bash/sh shell

                                                                 ii.      Then update the /usr/local/avenda/platform/bin/platform-cli/do-update.sh file

    8.8.       Support does not show as available / linked to account even when in ASP it shows active support and SAID

    a.       Example:

                                                                   i.      Customer was within the first year of purchasing 3 3010 servers 10k Access, 5k OnGuard with 5 years support

                                                                 ii.      Support was shown as active in ASP Support section with SAID of the hardware serial numbers that were being upgraded

    1.       Valid SN's and Software support shown

    2.       Valid expiration for 2027 shown

    3.       Same ASP account used use with LMS and ASP all showing the Licenses and Support

                                                               iii.      ClearPass Publisher eventually showed but the subscribers did not.

    1.       Aruba TAC via CLI were able to trigger additional web calls to get the publisher to show as having support

    b.       Aruba TAC case will have to be created to re-link on the back end

                                                                   i.      Open Aruba TAC support case before beginning the upgrade process to have the engineer ready for the upgrade

    9.     9.  Certificates do not come over with the configuration (Documented in release notes, but also confirmed)

    a.       This is documented, but confirmed even when restore node information is selected

                                                                   i.      Be sure to disable ECC if using a public CA for HTTPS cert

    10.   AD rejoin required (Documented but also confirmed)




    1. 7.  RE: Clearpass upgrade of HARDWARE appliance to 6.11.2

      MVP
      Posted May 23, 2023 08:11 AM

      Just updating one server sounds simple, but many, like us, have a cluster of 5 servers due to client loading. Upgrading just some pf the servers is NOT an option.

      Even if that were an option, and we needed to downgrade the 6.11 servers, you did not give a downgrade path The only option I can think of is to RMA the server hardware. That is quite drastic and you end up with a repaired server that may be prone to failure. I had that happen with past RMAs.

      What is Aruba's official; downgrade path? We are especially concerned because, in January, we attempted to upgrade from 6.9.x to 6.10.x and had to downgrade. Our current plan is to go from 6.9.x to latest 6.11.x with a freshly built 6.11 configuration.



      ------------------------------
      Bruce Osborne ACCP ACMP
      Liberty University

      The views expressed here are my personal views and not those of my employer
      ------------------------------



    2. 8.  RE: Clearpass upgrade of HARDWARE appliance to 6.11.2

      EMPLOYEE
      Posted May 26, 2023 10:42 AM

      Not sure if there is an official downgrade path from 6.11 as the disks are fully re-imaged, but what I have seen is people buying spare harddisks (find the HPE replacement parts), then put the original disks on the shelf and fresh install on the spare disks. In this way you can revert back the changes to BIOS and put back the disks from the shelf.



      ------------------------------
      Herman Robers
      ------------------------
      If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

      In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
      ------------------------------



    3. 9.  RE: Clearpass upgrade of HARDWARE appliance to 6.11.2

      MVP
      Posted May 26, 2023 11:02 AM

      In my personal opinion, as part of ClearPass support, a downgrade path should be included.

      If additional disks are required for that, they should be provided free of charge,.



      ------------------------------
      Bruce Osborne ACCP ACMP
      Liberty University

      The views expressed here are my personal views and not those of my employer
      ------------------------------



    4. 10.  RE: Clearpass upgrade of HARDWARE appliance to 6.11.2

      Posted May 30, 2023 10:50 AM

      Thanks Herman,
      not a bad idea changing hard drive over .
      is it a relatively straightforward job to chnage hard drives over ?
      cheers
      Pete




    5. 11.  RE: Clearpass upgrade of HARDWARE appliance to 6.11.2

      EMPLOYEE
      Posted Jun 28, 2023 05:39 AM

      Depending on the hardware model and if you have replacement drives that include a tray, you should be able to (after poweroff) slide the drives out and slide the new drives in. If you don't have the trays, just the drives, you may need to remove a few screws to remove the old drive from the tray and replace with the other drive.



      ------------------------------
      Herman Robers
      ------------------------
      If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

      In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
      ------------------------------