hi Airheads,anyone done a C3010 Clearpass hardware appliance upgrade to 6.11 ?i've seen Herman's posts about flashing a USB stick and all looks good.However i was wondering if for some reason we had to revert back to the old system (for example go back to the 6.10)How easy is this process ?regardsPete
I'm not sure you can. There is no ISO file for 6.10. Do have multiple ClearPass servers for HA? Also you should upgrade to 6.11 patch 3 not patch 2.
thank you for your response.i forgot to mention that we were going to go for 6.11 patch 3.The customer has 2 x C3010 hardware appliances in a cluster.we were planning to do Publisher first then Subscriber.However do you have experience of a hardware appliance upgrade ?The bit that concerns me is NOT being able to roll back.regardsPeter
Original Message:Sent: May 19, 2023 03:14 AMFrom: peter.elmsSubject: Clearpass upgrade of HARDWARE appliance to 6.11.2
Yeah but if you have two servers just upgrade one, fully test, then upgrade the other. If there is a VIP between these two, then just move the VIP accordingly.
thanks for your reply,i appreciate you taking the time however what i'm really after is an engineer who's actually done a hardware appliance upgrade and any helpful hintsfrom their experience of it. We have a very large university campus to upgrade.cheersPete
So my first bit of advice from having done this after being told that 6.11.2 is stable, then being told the 6.11.3 would be stable, is don't upgrade until at least 6.11.4 if at all possible. Lots of stuff is still broken, just had another issue today where 6.11.3 is broken for StartTLS LDAPS if the DC's have TLS 1.0 and TLS 1.1 disabled. Please check with your Aruba CSE before upgrading any ClearPass Hardware! Otherwise here's some lessons learned:1. Firmware on the HPE Servers was way out of date, looks like they shipped with something from 2018.
Despite being shipped in 2023 firmware is still on initial factor 2018
a. Firmware information / upgrade info is not included in the release notes
b. Server Firmware is login blocked which the customer ASP support login does not appear to allow access to so HPE server support may be required.
2. 2. Enable UFEI in the iLo (documented in release notes Ref: https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Default.htm#UpgradeUpdate/Up-Installing-ISO-6-11.htm?TocPath=Installing%2520ClearPass%25206.11%257C_____4))
a. If iLo is not available upgrade via F9 menu
3.3. Enable TPM via Console Using F9 (documented in release notes Ref: https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Default.htm#UpgradeUpdate/Up-Installing-ISO-6-11.htm?TocPath=Installing%2520ClearPass%25206.11%257C_____4))
4.4. RADIUS dictionary attributes don't appear to come over
a. Any RADIUS dictionary that has space or . character will need to be exported and readded without those characters as the RADIUS service won't restart
i. ClearPass 6.9 and 6.10 allowed Special characters in the RADIUS dictionaries, 6.11 does not. The import will happen successfully, but RADIUS service will not start
ii. Event viewer has a good log to point in the right direction of which RADIUS dictionary is causing the issues
5.5. If you load 6.11.0 and not 6.11.1 Upgrading by locally uploading the patch file DOES NOT WORK! If you loaded 6.11.0 and not 6.11.1 start over.
6.6. ASP login is not the login used for the new token generation, the Token Generate page doesn't show this or a forgot password link use the HPE login below to resolve.
a. HPE login WebSphere site:
i. Confirm user credentials work on: https://cf-passport.it.hpe.com/hppcf/login.do
1. If credentials don't work reset password
2. After resetting also reset the ASP user/pass so that they are both in sync
7. 7, Activate Licenses may not work
a. Have Aruba TAC case reset the activation count before starting the upgrade process
b. If you loaded 6.11.1, you can locally upload the 6.11.3 patch, but the Activate/Software may still not work.
c. There is a script that can be run to get around this that TAC has to get around this.
i. TAC has to log in and go through support to generate the OTP to get to the RHEL bash/sh shell
ii. Then update the /usr/local/avenda/platform/bin/platform-cli/do-update.sh file
8.8. Support does not show as available / linked to account even when in ASP it shows active support and SAID
i. Customer was within the first year of purchasing 3 3010 servers 10k Access, 5k OnGuard with 5 years support
ii. Support was shown as active in ASP Support section with SAID of the hardware serial numbers that were being upgraded
1. Valid SN's and Software support shown
2. Valid expiration for 2027 shown
3. Same ASP account used use with LMS and ASP all showing the Licenses and Support
iii. ClearPass Publisher eventually showed but the subscribers did not.
1. Aruba TAC via CLI were able to trigger additional web calls to get the publisher to show as having support
b. Aruba TAC case will have to be created to re-link on the back end
i. Open Aruba TAC support case before beginning the upgrade process to have the engineer ready for the upgrade
9. 9. Certificates do not come over with the configuration (Documented in release notes, but also confirmed)
a. This is documented, but confirmed even when restore node information is selected
i. Be sure to disable ECC if using a public CA for HTTPS cert
10. AD rejoin required (Documented but also confirmed)
Just updating one server sounds simple, but many, like us, have a cluster of 5 servers due to client loading. Upgrading just some pf the servers is NOT an option.Even if that were an option, and we needed to downgrade the 6.11 servers, you did not give a downgrade path The only option I can think of is to RMA the server hardware. That is quite drastic and you end up with a repaired server that may be prone to failure. I had that happen with past RMAs.What is Aruba's official; downgrade path? We are especially concerned because, in January, we attempted to upgrade from 6.9.x to 6.10.x and had to downgrade. Our current plan is to go from 6.9.x to latest 6.11.x with a freshly built 6.11 configuration.
Not sure if there is an official downgrade path from 6.11 as the disks are fully re-imaged, but what I have seen is people buying spare harddisks (find the HPE replacement parts), then put the original disks on the shelf and fresh install on the spare disks. In this way you can revert back the changes to BIOS and put back the disks from the shelf.
In my personal opinion, as part of ClearPass support, a downgrade path should be included.If additional disks are required for that, they should be provided free of charge,.
Thanks Herman,not a bad idea changing hard drive over .is it a relatively straightforward job to chnage hard drives over ?cheersPete
Depending on the hardware model and if you have replacement drives that include a tray, you should be able to (after poweroff) slide the drives out and slide the new drives in. If you don't have the trays, just the drives, you may need to remove a few screws to remove the old drive from the tray and replace with the other drive.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.