View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Migrating ClearPass to New one

This thread has been viewed 39 times
  • 1.  Migrating ClearPass to New one

    Posted Sep 27, 2023 01:31 AM

    Hi All,

    Currently we have ClearPass cluster setup version 6.9.13, we would like to migrate to new ClearPass server. Can we join the new server as subscriber and once its synchronized with Publisher config we can decom the current one and Promote the new joined subscriber as Publisher or we just take backup of the current publisher and restore back to new one. 

    Thank you all


  • 2.  RE: Migrating ClearPass to New one

    Posted Sep 27, 2023 07:32 AM

    Hi Sri

    Yes, you can join the current cluster as long as the version is the same.

    But, as ClearPass 6.11 must be installed from the begining and the configuration restored, my proposal is to install the new server with ClearPass 6.11, restore the backups on this server, including also licenses, certificates etc following the 6.11 deployment guide.

    This will save you some work with first updating the new server to 6.9.13, make it a subscriber and the do a complete reinstallation.

    Also you will have the old production server as a fallback when moving the authentication to the new server with 6.11.

    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution

  • 3.  RE: Migrating ClearPass to New one

    Posted Sep 27, 2023 09:20 PM

    Hi Jonas,

    Thank you for your reply and suggestion, client wants us to configure new server as subscriber and promote as publisher. Do we need to take any steps before we promote as publisher.



  • 4.  RE: Migrating ClearPass to New one

    Posted Sep 28, 2023 12:54 AM


    this is not possible, or not documented as migration path.

    You have to do a complete new installation of the publisher node and a subsequent recovery of the configuration.
    The root CA‘s will be part of the backup/restore.

    In the meantime, the remaining subscriber will act as fallback auth. target, like Jonas mentioned.

    In the second step, reinstall the subscriber and join it again as subscriber to the new installed publisher.

    This is documented in the 6.11 deployment guide.
    Every deviation from this guide should be discussed with TAC.

    Don’t forget - for 6.11 your customer needs an active SVC subscription for ClearPass, which is connected and visible in their ASP portal.

    Best regards, mom

  • 5.  RE: Migrating ClearPass to New one

    Posted Sep 28, 2023 05:34 AM

    Hi mom,

    Thank you!

    Yes now we proposed the client with new step.  I have something on certificate as client giving new hostname to new clearpass can we use the same certificate from the current one.



  • 6.  RE: Migrating ClearPass to New one

    Posted Sep 28, 2023 06:48 AM


    in my opinion, if you restore the clearpass server from backup, the FQDN will be restored.
    Assign the same IP and same FQDN to the new publisher, than you can use the same certificates.
    The radius server certificate do not have to match the FQDN, but the HTTPS certificate have to.
    Before you turn on the new publisher the first time, disconnect the old publisher from the network to avoid IP conflicts.

    Statement from guide: 

    The IP address should be the same that was used for the DB server certificate that was exported and backed up as a PKCS#12 format file. If the 6.9.X or 6.10.X backup is from a FIPS mode deployment, then FIPS mode should be enabled before restoring the backup.

    Just follow the guide: ClearPass 6.11 Installation Guide - Installing ClearPass 6.11 (

    Best regards, mom

  • 7.  RE: Migrating ClearPass to New one

    Posted Sep 28, 2023 09:06 PM

    Hi mom,

    Thank you for your reply, As my client want to different hostname and different IP address in this case can we use the certificate & even my client don't want to change the version currently they are using 6.9.13.



  • 8.  RE: Migrating ClearPass to New one

    Posted Sep 29, 2023 02:30 AM


    at least the https certificate has to match the new hostname.

    And the DB certificate must include the new IP as SAN.
    But it will be issued as self signed during the installation automatically.

    Best regards, mom

  • 9.  RE: Migrating ClearPass to New one

    Posted Sep 29, 2023 02:36 AM

    Hi mom,

    Thank you for your reply, will it be ok for https cert we can generate CSR from new box with new host and ask the CA to generate certificate.