at least the https certificate has to match the new hostname.
Original Message:
Sent: Sep 28, 2023 09:05 PM
From: Sri
Subject: Migrating ClearPass to New one
Hi mom,
Thank you for your reply, As my client want to different hostname and different IP address in this case can we use the certificate & even my client don't want to change the version currently they are using 6.9.13.
Regards,
Sri
Original Message:
Sent: Sep 28, 2023 06:47 AM
From: mom
Subject: Migrating ClearPass to New one
Hi,
in my opinion, if you restore the clearpass server from backup, the FQDN will be restored.
Assign the same IP and same FQDN to the new publisher, than you can use the same certificates.
The radius server certificate do not have to match the FQDN, but the HTTPS certificate have to.
Before you turn on the new publisher the first time, disconnect the old publisher from the network to avoid IP conflicts.
Statement from guide:
The IP address should be the same that was used for the DB server certificate that was exported and backed up as a PKCS#12 format file. If the 6.9.X or 6.10.X backup is from a FIPS mode deployment, then FIPS mode should be enabled before restoring the backup.
Just follow the guide: ClearPass 6.11 Installation Guide - Installing ClearPass 6.11 (arubanetworks.com)
------------------------------
Best regards, mom
Original Message:
Sent: Sep 28, 2023 05:33 AM
From: Sri
Subject: Migrating ClearPass to New one
Hi mom,
Thank you!
Yes now we proposed the client with new step. I have something on certificate as client giving new hostname to new clearpass can we use the same certificate from the current one.
Regards,
Sri
Original Message:
Sent: Sep 28, 2023 12:54 AM
From: mom
Subject: Migrating ClearPass to New one
Hi,
this is not possible, or not documented as migration path.
You have to do a complete new installation of the publisher node and a subsequent recovery of the configuration.
The root CA's will be part of the backup/restore.
In the meantime, the remaining subscriber will act as fallback auth. target, like Jonas mentioned.
In the second step, reinstall the subscriber and join it again as subscriber to the new installed publisher.
This is documented in the 6.11 deployment guide.
Every deviation from this guide should be discussed with TAC.
Don't forget - for 6.11 your customer needs an active SVC subscription for ClearPass, which is connected and visible in their ASP portal.
---------------------------------
Best regards, mom
Original Message:
Sent: Sep 27, 2023
From: Sri
Subject: RE: Migrating ClearPass to New one
Hi Jonas,
Thank you for your reply and suggestion, client wants us to configure new server as subscriber and promote as publisher. Do we need to take any steps before we promote as publisher.
Regards,
Sri
Original Message:
Sent: Sep 27, 2023 07:32 AM
From: jonas.hammarback
Subject: Migrating ClearPass to New one
Hi Sri
Yes, you can join the current cluster as long as the version is the same.
But, as ClearPass 6.11 must be installed from the begining and the configuration restored, my proposal is to install the new server with ClearPass 6.11, restore the backups on this server, including also licenses, certificates etc following the 6.11 deployment guide.
This will save you some work with first updating the new server to 6.9.13, make it a subscriber and the do a complete reinstallation.
Also you will have the old production server as a fallback when moving the authentication to the new server with 6.11.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Sep 27, 2023 12:59 AM
From: Sri
Subject: Migrating ClearPass to New one
Hi All,
Currently we have ClearPass cluster setup version 6.9.13, we would like to migrate to new ClearPass server. Can we join the new server as subscriber and once its synchronized with Publisher config we can decom the current one and Promote the new joined subscriber as Publisher or we just take backup of the current publisher and restore back to new one.
Thank you all
Sri