Security

Hi All,

I'm planning to upgrade our ClearPass deployment from a physical appliance(6.10.8)  to a virtual machine(6.11.*). As part of this upgrade, I have a question regarding the Onguard Agent installed on user machines.

Since we're currently using the persistent Onguard Agent, I'd like to understand what steps (if any) need to be taken on the client side when we migrate ClearPass. Specifically:

• Will the existing agents automatically connect to the new virtual ClearPass server?

• Do we need to update the agent configuration on each machine (e.g., IP or hostname)?

• Is there a recommended approach for minimizing disruption during this transition?

Appreciate any insights or best practices from those who have performed a similar migration.

Hi @Mithran

Just add VM to the cluster as subscriber, promote it to standby publisher, define VIP address and make sure that clients are connecting via VIP address. Then you can shutdown old publisher and VM will become publisher and clients will connect over VIP address.

Best, Gorazd

Hi All,

I'm planning to upgrade our ClearPass deployment from a physical appliance(6.10.8)  to a virtual machine(6.11.*). As part of this upgrade, I have a question regarding the Onguard Agent installed on user machines.

Since we're currently using the persistent Onguard Agent, I'd like to understand what steps (if any) need to be taken on the client side when we migrate ClearPass. Specifically:

• Will the existing agents automatically connect to the new virtual ClearPass server?

• Do we need to update the agent configuration on each machine (e.g., IP or hostname)?

• Is there a recommended approach for minimizing disruption during this transition?

Appreciate any insights or best practices from those who have performed a similar migration.

@GorazdKikelj is this actually possible ? Joining a 6.11.x or later node to an existing 6.10.x cluster I thought is not supported as I thought they must be the same major version.

@Mithran any reason you're choosing 6.11 and not 6.12? I'm in the same boat myself and curious. 

Original Message:
Sent: Jun 13, 2025 03:10 AM
From: GorazdKikelj
Subject: ClearPass Upgrade: Physical to Virtual – Onguard Agent Concerns

Hi @Mithran

Just add VM to the cluster as subscriber, promote it to standby publisher, define VIP address and make sure that clients are connecting via VIP address. Then you can shutdown old publisher and VM will become publisher and clients will connect over VIP address.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025

Original Message:
Sent: Jun 13, 2025 03:01 AM
From: Mithran
Subject: ClearPass Upgrade: Physical to Virtual – Onguard Agent Concerns

Hi All,

I'm planning to upgrade our ClearPass deployment from a physical appliance(6.10.8)  to a virtual machine(6.11.*). As part of this upgrade, I have a question regarding the Onguard Agent installed on user machines.

Since we're currently using the persistent Onguard Agent, I'd like to understand what steps (if any) need to be taken on the client side when we migrate ClearPass. Specifically:

• Will the existing agents automatically connect to the new virtual ClearPass server?

• Do we need to update the agent configuration on each machine (e.g., IP or hostname)?

• Is there a recommended approach for minimizing disruption during this transition?

Appreciate any insights or best practices from those who have performed a similar migration.

Hi Brendan.

No. You can't mix different versions. My comment was just on moving existing phy appliance to vm. To move from 6.10 to 6.11 or higher you need to create a new vm with 6.11 image and migrate config via backup/restore procedure as described in documentation.

Having vip address will help minimize disruptions on the network when you migrate vip address from old node to new one after or before migration. 

6.11 is LSR version and 6.12 is SSR version. Usually in production you preffere LSR version except if you really need features from short version.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025

Original Message:
Sent: Jun 15, 2025 07:24 PM
From: BrendanMYS
Subject: ClearPass Upgrade: Physical to Virtual – Onguard Agent Concerns

@GorazdKikelj is this actually possible ? Joining a 6.11.x or later node to an existing 6.10.x cluster I thought is not supported as I thought they must be the same major version.

@Mithran any reason you're choosing 6.11 and not 6.12? I'm in the same boat myself and curious. 

Original Message:
Sent: Jun 13, 2025 03:10 AM
From: GorazdKikelj
Subject: ClearPass Upgrade: Physical to Virtual – Onguard Agent Concerns

Hi @Mithran

Just add VM to the cluster as subscriber, promote it to standby publisher, define VIP address and make sure that clients are connecting via VIP address. Then you can shutdown old publisher and VM will become publisher and clients will connect over VIP address.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025

Original Message:
Sent: Jun 13, 2025 03:01 AM
From: Mithran
Subject: ClearPass Upgrade: Physical to Virtual – Onguard Agent Concerns

Hi All,

I'm planning to upgrade our ClearPass deployment from a physical appliance(6.10.8)  to a virtual machine(6.11.*). As part of this upgrade, I have a question regarding the Onguard Agent installed on user machines.

Since we're currently using the persistent Onguard Agent, I'd like to understand what steps (if any) need to be taken on the client side when we migrate ClearPass. Specifically:

• Will the existing agents automatically connect to the new virtual ClearPass server?

• Do we need to update the agent configuration on each machine (e.g., IP or hostname)?

• Is there a recommended approach for minimizing disruption during this transition?

Appreciate any insights or best practices from those who have performed a similar migration.