I have 4 physical servers currently on version 6.10, one publisher with a back up publisher that share VIP-a address, and another 2 subscribers that share VIP-b address.
all my switches are configured to have VIP-a as primary server and VIP-b as backup, however my APs using VIP-a or VIP-b as primary depending on their locations.
If I want to upgrade to version 6.11 with the least impact and down time, would the below approach be right?
1)start the upgrade with one of the subscriber (which shares VIP-b address):
-remove it from the VIP setting, so the VIP stays only with the other node
-remove it from the cluster
-upgrade to version 6.11 and restore the config
At this point I assume the other 3 servers in version 6.10 still continue providing service to the clients and NADs are still pointing to the 6.10 publisher and it wont be any disruption to the service?
I'm planning to test some authentications by pointing some switches to the new 6.11 server with the old IP address to make sure all the config restored correctly. I assume as I removed the VIP setting, the APs that have VIP-b as the primary server still pointing to the other subscriber ? would I have any issue in terms of using production licenses in 6.11 in parallel with 6.10?
2)Continue the upgrade with removing the second subscriber which shares vip-b and upgrade it to version 6.11. now I have my 6.11 cluster with redundancy, but again my question is would both clusters work in parallel without any issues (i.e with the licenses) ? so devices that have vip-b as primary work with 6.11 and devices that have vip-a address as the primary address work with version 6.10?
I think your plan looks good. You will not have any licensing issues when installing 6.11. The activation of the licenses are enabled when you try to activate from 6.11. Please also verify that you have the hardware serial numbers in ASP, if you are running on hardware servers, and connected support agreements on all licenses. If you don't have support agreement on PAK licenses you will not be able to download updates.
When the first server is updated and you perform the test towards the IP address of the server. If you have older computers with certificates stored in TPM, be aware of the TPM bug causing old computers failing to perform PSS-RSA, a new algorithm for ClearPass. See my blog post about the issue https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/ or this thread in Airheads https://community.arubanetworks.com/discussion/clients-affected-by-cp49353-in-clearpass-611-from-windows-10
This PSS-RSA issue can in 6.11.4 be handled by disable the PSS-RSA algorithm on the ClearPass servers under the Radius service settings on each server.
As the second server you can take the other VIP-b subscriber, or the Stand by Publisher for the VIP-a.
When you have two 6.11 servers running you can move first one VIP and then the second to the 6.11 cluster.
As you have physical servers, roll back "is a bit tricky", read not possible without TAC or RMA, so leave the two remaining 6.10 servers untouched for a few days. If you need to do a rollback to 6.10.
Finally, reinstall the two remaining servers with 6.11 and distribute the VIP addresses as before.
With your plan you should be able to do the migration to 6.11 more or less without any downtime or disturbance at all.
Thanks for the reply, very helpful. By moving the VIP address, is it just simply configure a new virtual IP for VIP-b on the 6.11 cluster, or do I have to delete VIP-b first on 6.10 cluster?
When you do a restore of the configuration to the 6.11 cluster the VIP addresses will be configured, but disabled.
So the process will be to disable the VIP on the 6.10 cluster and enable the same on 6.11. As the VIP function are using VRRP the nodes will communicate with VRRP between the cluster nodes in the different clusters.
I had a chance to try this in the lab (vm version though), when I restored the config, I could see all the other nodes in my old cluster as subscribers but being disabled. The VIP was there too but I had to disable it. I had couple of queries now: from the time that the new cluster restored the config with the same VIP until I disable the VIP which would be straight, would there be any blips in the service? Also, am I right assuming next step would be to upgrade another node with the same IP and when it's up, I just have to click on that node on the new cluster (administration> server configuration), and do 'join server back to cluster'?
Finally which patch of 6.11 should I upgrade to?
The latest patch is number 5, I would recommend this as it contains both bug fixes and security patches.
Normally you don't see the cluster nodes from the old cluster, so I assume you selected the option to restore also cluster nodes. You can skip this option.
All other cluseter nodes must be added with the Make Subscriber command.
Regarding the VIP settings I normally remove the VIP from the first server so no VIP addresses are active on the node before the backup.
When restoring the VIP settings are restored but all of them are disabled.
I have not seen any issues with this procedure in the environments I have updated.
thanks for the reply, so the order after re-image to 6.11: first to restore certificates (all but db certificate), then back up policy manager config?
If I go with a new IP after installing 6.11, would I have any issue with DB certificate when I want to re-IP back to the existing IP? I notices that when I restore the DB certificate the SAN field would be the IP address of old publisher. the reason that I want to re-IP is so I can do tests and verifications before pointing the production devices to version 6.11.
If you change the management IP the database certificate must be updated with the new IP as a SAN in format DNS:10.11.12.13
In ClearPass 6.11 the database certificate SAN is updated automatically if the IP address is changed and the certificate is the default self signed certificate. It will take "some time", unspecified how long time. I have not tested and clocked this to see how long time it can take. If the db certificate has been replaced with a cert signed by a CA the automatical process will not work.
But in you scenario, if you have VIP addresses, do you need to change the IP? You can run the test direct towards the interface IP and when the tests are done, move the VIP and start to use the VIP addresses instead.
I can re-image them with the same IP, but still if I start with one of the subscribers (rather than the publisher), the IP on the certificate would be different to the IP of the subscriber that would be the new publisher in 6.11 cluster, would I have any issue joining other nodes then to the 6.11 cluster? You mention about updating the database certificate, how do I do that if I need to?
If you start with the current 6.10 subscriber and this server becomes the 6.11 publisher you can move the publisher role back to the current publisher server without any need to worry about the database certificate.
To update the database certificate navigate to the certificate store and click the Create Self-Signed Certificate link in the upper right corner.
Select Server Certificate and Database certificate from the drop downs.
The form will update and also get the correct SAN prepopulated.
Just remember to set the private key password and change the Valid for from 180 days to a longer period. Default time for database certificates in ClearPass is 5 years, so I have put 1828 days here.
Thanks for all your help and advise, I think I might know enough now to do the upgarde. Just last question I assume the direct upgarde to 6.11.5 is not possible? is the path 6.11.1 > 6.11.5 ?
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.