Maximum nodes in a cluster is 32.
Original Message:
Sent: Mar 21, 2025 08:24 AM
From: jonas.hammarback
Subject: How to Upgrade ClearPass Cluster from C3000 (DL360 Gen9) to N3000 1G Hardware Appliance (Current Version 6.11)
Hi @nehabw
Sorry to say it looks like the answer from @rupkumm16 is generated by AI as it has a lot of signs of AI generated stuff. Looks good at a first glance, but after a deeper reading it's found to be full of errors, non existing commands, technical buzzwords without meaning etc.
For example the following commands mentioned in the post does not exists in ClearPass CLI:
- system restore
- show db-status
- show interface
- show hardware
Basically, as you are already running on 6.11 you have two paths to follow.
- Keep old cluster, set up a new in parallel
- Join new nodes in the current cluster
With the first option you are sure that no work done during the setup and configuration of the new servers can cause disturbances and downtime on the current authentication flow, but you have to move authentication to the new servers some where in the process. Also you will have two publishers to maintain during your migration project. Depending on number of configuration changes this may be a challenge to keep the two clusters in sync manually. Guest users will be a really big challenge.
I would follow the second option , I have successfully replaced nodes in distributed clusters with servers in several countries with this method.
If you doesn't already have VIP addresses, I think VIP is a good way to transfer the authentication load between servers. I usually configure one VIP address per server and utilize this address for authentication traffic instead of the interface IP on the server. This way I can very easily move the load to the new hardware server. Without need to change IP, update DNS or updating RADIUS configuration on your network equipment.
As you have a quite large cluster you can add a few new nodes to the cluster, test them, transfer the production authentication to the new host and then decommission the old hardware. Then continue to the next round of servers. When you join the cluster all configuration is replicated, no need for backups and restores.
I would start with some "less important" servers like the stand by publisher, and one subscriber close to your physical location. This way your testing may be easier to do as you don't need to contact local staff to perform test authentications.
Test that would be good to do on subscribers are of course all types of authentication methods like 802.1x, MAC auth and guest authentication. If EAP-PEAP is still in use in your organization, all new servers must be joined to AD and you need to specify logon servers. In that case verify both the LDAP connection and the NTLM part during authentication.
For the new server that will take over as publisher or stand by publisher, make extra verifications of port openings to and from all nodes in the cluster.
Some information is done on each server. This is the configuration done on each server node under Administration\Server Manager\Server Configuration\<Server Name>.
For example service parameters, SNMP configuration, network hardening etc.
Also if you have any static routing entries added in CLI, this must be added on each server.
I'm not sure about the maximum number of servers in a ClearPass 6.11 cluster. In previous version the upper limit was around 40. I think I have read that it's lower in 6.11 or 6.12, investigate this.
Regarding the licenses, you need to move your application licenses like Access, Onguard and Onboard if you set up a new cluster in parallel. If you join the current cluster the licenses are already installed in the cluster and no need to do anything. The PAK licenses are bound to the hardware serial numbers, you will need to retrieve the new PAK licenses from the networking support portal for the new servers.
When adding new servers to a cluster, remember to verify that all port openings between nodes on different subnets are in place, also check that there is enough IP addresses on each subnet for the new servers.
During the planning, make sure to have detailed plans both for the execution and rollback. It's a big task to replace 20 ClearPass servers in production, but with good planning it's possible to do without disturbances for end users.
Good luck!
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 19, 2025 06:23 AM
From: rupkumm16
Subject: How to Upgrade ClearPass Cluster from C3000 (DL360 Gen9) to N3000 1G Hardware Appliance (Current Version 6.11)
Hi,
Upgrading a ClearPass cluster from the C3000 (DL360 Gen9) to the N3000 1G hardware appliance running version 6.11 is a significant task, but with careful planning, it can be smooth. Since you're staying on 6.11, this is more of a hardware migration than a software upgrade, which simplifies some aspects. I'll walk you through the process, best practices, critical steps, data migration, post-upgrade checks, and license considerations based on general ClearPass migration principles and hardware swap workflows.
Upgrade Process Overview
The migration involves replacing the old C3000 appliances with new N3000 units while preserving your existing configuration, certificates, and data. Since ClearPass 6.11 on N3000 uses RHEL 8.x (same as C3000 on 6.11), there's no OS transition, but you'll need to reimage the N3000 appliances with 6.11, restore your configuration, and ensure cluster continuity. Here's a high-level process:
Preparation: Backup everything, validate hardware, and plan downtime.
Staged Migration: Build a parallel setup or replace nodes incrementally to minimize disruption.
Data Migration: Transfer configuration, certificates, and optionally logs/Insight data.
Cluster Reformation: Rejoin nodes to the cluster and validate replication.
Post-Upgrade Validation: Confirm functionality and cluster health.
Best Practices for a Smooth Migration
Minimize Downtime: If your cluster has multiple nodes (e.g., publisher and subscribers), upgrade subscribers first, keeping the publisher active to maintain service. Swap the publisher last.
Parallel Testing: If possible, set up the N3000 appliances with temporary IPs to test the restored config before cutting over.
Document Everything: Record IPs, hostnames, cluster roles, and certificate details from the C3000 cluster.
Engage Support: If you have an Aruba support contract, involve TAC or your SE for guidance, especially for licensing and unexpected hiccups.
Test Backups: Before starting, restore a backup to a VM (e.g., C1000V trial) to ensure it's viable.
Critical Steps Before Starting
Backup the Current Cluster:
On the publisher, go to Administration > Server Manager > Server Configuration > Backup.
Include configuration data (tipsdb, AppPlatform), Insight data (insightdb), and optionally session logs (tipsLogDb) if used in your workflows.
Export as a .bak file and store it securely off-cluster (e.g., SFTP or local drive).
Export Certificates:
Navigate to Administration > Certificates > Certificate Store.
Export RADIUS, HTTPS, and any other service certificates as .p12 files with passwords. Each node might have unique certs, so check all.
Record Licenses:
On the publisher, run show license in the CLI to list all application and platform keys. Save this output.
Note: Licenses are tied to hardware serial numbers, so you'll need to transfer them (more on this later).
Check Cluster Health:
In Administration > Server Manager > Cluster Status, ensure all nodes are up and replication is healthy.
Fix any issues (e.g., DB sync errors) before proceeding.
Validate N3000 Hardware:
Confirm the N3000 appliances are powered on, accessible via iLO, and have the right firmware (check HPE support for N3000 compatibility with 6.11).
Ensure network ports (mgmt, data) match your C3000 cabling plan.
Disable Standby Publisher (if applicable):
Migrating Data from C3000 to N3000
Since you're moving hardware, you can't directly copy data disks-you'll rely on backups and manual restoration. Here's how:
Prepare N3000 Appliances:
Use iLO to mount the ClearPass 6.11 ISO (download from Aruba Support Portal) and reimage each N3000 appliance.
During initial setup, assign temporary IPs and hostnames (you'll adjust these later to match the C3000 cluster).
Restore Backup on the Publisher:
Log into the first N3000 (future publisher) via CLI or GUI.
Go to Administration > Server Manager > Server Configuration > Restore and upload the .bak file from the C3000 publisher.
Use the -s flag in CLI (system restore -s) if the backup includes a standby publisher config to avoid cluster join issues.
Reboot after restoration.
Import Certificates:
Handle Subscribers:
Reimage additional N3000 nodes with 6.11, but don't restore the full backup yet.
Join them to the restored publisher via Administration > Server Manager > Server Configuration > Join Cluster, using the publisher's IP and cluster password.
The publisher will sync config data to subscribers automatically.
Cutover IPs:
Key Post-Upgrade Checks
Cluster Status:
In Administration > Server Manager > Cluster Status, verify all N3000 nodes are listed, online, and syncing (no red flags).
Authentication Tests:
Service Functionality:
Validate RADIUS, TACACS+, Guest, Onboard, and OnGuard services (if used) against your policies.
Database Replication:
Network Connectivity:
Insight Reports:
License Transfer and Activation
Licenses are tied to the hardware's Protected Access Credential (PAC) or serial number, so moving to N3000 requires reactivation:
Retrieve Current Licenses:
Contact Aruba Support:
Submit a request via the Aruba Support Portal or your SE to transfer licenses from C3000 to N3000 serial numbers.
Provide old and new hardware serials (find N3000 serials via iLO or CLI: show hardware).
Activate on N3000:
After restoration, go to Administration > Server Manager > Licensing on the publisher.
Enter the new platform key for the N3000 hardware and re-add application keys (they're cluster-wide and should still work if unchanged).
If offline, use the offline activation process with a generated request file.
Verify:
Important Considerations
• Downtime: Plan a maintenance window-restoring and rejoining the cluster can take 1-2 hours per node, depending on DB size.
• 6.11 Stability: Since 6.11.0 had issues (pulled by Aruba), ensure you're on a stable patch (e.g., 6.11.4 or later). Check release notes on the Aruba Support Portal.
• Hardware Differences: N3000 (DL20 Gen10) is 1G-only vs. C3000's 10G capability. Ensure your network design aligns with 1G interfaces.
• Fallback Plan: Keep C3000 appliances intact until the N3000 cluster is fully validated, so you can revert if needed.
Documentation Links
• ClearPass 6.11 Installation Guide: Check the "Moving to ClearPass 6.11" section for cluster migration details (Aruba Support Portal).
• Release Notes: Review known issues and hardware support for 6.11 (Aruba Support Portal).
• HPE N3000 Specs: Confirm hardware details on HPE's site (search "HPE ClearPass N3000").
This should set you up for success. If you hit snags (e.g., DB replication failing or license woes), let me know the specifics, and I'll refine the guidance!
Thanks
Original Message:
Sent: 3/14/2025 3:16:00 PM
From: nehabw
Subject: How to Upgrade ClearPass Cluster from C3000 (DL360 Gen9) to N3000 1G Hardware Appliance (Current Version 6.11)
Hello,
I am looking to upgrade the ClearPass cluster from the current C3000 model (DL360 Gen9) to the new N3000 1G hardware appliance for one of our clients. The current version of ClearPass running is 6.11.
Could someone guide me through the upgrade process or share any best practices to ensure a smooth migration to the new hardware?
- Are there any critical steps I should take before starting the upgrade?
- How should I handle migrating the data from the C3000 to the N3000 appliance?
- What are the key post-upgrade checks to ensure everything is functioning properly?
- Any important considerations regarding license transfer or activation on the new hardware?
Any insights or documentation link would be greatly appreciated!
Thanks in advance!