Someone pointed out this recently..
When you restore certificates and are not using HTTP EV, make sure you disable the self-signed one, as it will take precedence over the non EV cert.
Original Message:
Sent: 4/4/2024 2:33:00 AM
From: jonas.hammarback
Subject: RE: Need suggestion for the 6.11 Upgrade.
Hi
The plan looks good and will definetlly work. Personally I would do some minor changes. See my comments in red after each of your actions below:
1. Take the backup of the server, certificate, and licenses.
2. Take notes of the static routes you had manually add in clearpass CLI
3. Take the screenshots of the services and certificate trust list.
4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).
Instead of using the same IP addresses i would consider assigning new IP's to the servers, this way both the old and the new cluster can be up and running at the same time. Also give the servers new names as this will make it possible to have all the servers joined with AD at the same time.
5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and Subscriber will take control of the authentication
6. Perform the basic configuration.
a. Activate the platform license.
b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)
Consider giving the servers new names, so you can have both the old and new ones up and running in parallell.
c. Join them in the domain.
7. Upload the backup configuration to the new publisher.
If you stay with your initial plan to have same IP and hostname, start with the subscriber instead. You may want to be able to test the 6.11 installation for some time before you switch over, and during this time you also may need to do some updates in the 6.10 cluster, or guests need to register.
8. Power of the subscriber and bring the new 6.11 subscriber online.
9. Perform the Virtual IP Address configuration.
The VIP configuration will be transfered with the backup and restore, if you have new server names the VIP will not be active on the new servers until you manually activates it.
10. Validate the authentication request.
If you have 6.8+ formated platform and accesses licenses 6.11 will accept them. You can utilize the same licenses on both the 6.10 and 6.11 servers at the same time during the migration phase and the license will be possible to activate in 6.11 without contact with Aruba TAC.
With the approach of just moving the VIP address you will not have a long downtime. Only during the move of the VIP addresses, and this can be reduced to a few seconds.
If you have had two VIP addresses and both configured as Radius servers in your switches and WLAN infrastructure you could eliminated the downtime to nothing by moving the VIP's one by one. This also let you have both servers active in processing the requests.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Apr 04, 2024 02:08 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.
We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)
In NAD device VIP address is configured as Radius server.
Upgrade Plan
============
1. Take the backup of the server, certificate, and licenses.
2. Take notes of the static routes you had manually add in clearpass CLI
3. Take the screenshots of the services and certificate trust list.
4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).
5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and Subscriber will take control of the authentication
6. Perform the basic configuration.
a. Activate the platform license.
b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)
c. Join them in the domain.
7. Upload the backup configuration to the new publisher.
8. Power of the subscriber and bring the new 6.11 subscriber online.
9. Perform the Virtual IP Address configuration.
10. Validate the authentication request.
Correct me if anything I have missed and database backup size is 90 MB.
During the first login whether it will accept the platform license key of the old server ?
I am planning to upgrade to 6.11.6 Is it ok ?
What will be downtime required for this upgrade ?