Security

 View Only
Expand all | Collapse all

Need suggestion for the 6.11 Upgrade.

This thread has been viewed 60 times
  • 1.  Need suggestion for the 6.11 Upgrade.

    Posted Apr 04, 2024 02:08 AM
    We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)
    In NAD device VIP address is configured as Radius server.
     
    Upgrade Plan
    ============
     
    1. Take the backup of the server, certificate, and licenses.
    2. Take notes of the static routes you had manually add in clearpass CLI 
    3. Take the screenshots of the services and certificate trust list.
    4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).
    5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication
    6. Perform the basic configuration. 
    a. Activate the platform license.
    b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)
    c. Join them in the domain.
    7. Upload the backup configuration to the new publisher.
    8. Power of the subscriber and bring the new 6.11 subscriber online.
    9. Perform the Virtual IP Address configuration.
    10. Validate the authentication request.
     
     
    Correct me if anything I have missed and database backup size is 90 MB.
    During the first login whether it will accept the platform license key of the old server ?
    I am planning to upgrade to 6.11.6 Is it ok ?
    What will be downtime required for this upgrade ?



  • 2.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Apr 04, 2024 02:33 AM

    Hi

    The plan looks good and will definetlly work. Personally I would do some minor changes. See my comments in red after each of your actions below:

    1. Take the backup of the server, certificate, and licenses.
    2. Take notes of the static routes you had manually add in clearpass CLI 
    3. Take the screenshots of the services and certificate trust list.
    4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point). 
    Instead of using the same IP addresses i would consider assigning new IP's to the servers, this way both the old and the new cluster can be up and running at the same time. Also give the servers new names as this will make it possible to have all the servers joined with AD at the same time.
    5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication
    6. Perform the basic configuration. 
    a. Activate the platform license.
    b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)
    Consider giving the servers new names, so you can have both the old and new ones up and running in parallell.
    c. Join them in the domain.
    7. Upload the backup configuration to the new publisher.
    If you stay with your initial plan to have same IP and hostname, start with the subscriber instead. You may want to be able to test the 6.11 installation for some time before you switch over, and during this time you also may need to do some updates in the 6.10 cluster, or guests need to register.
    8. Power of the subscriber and bring the new 6.11 subscriber online.
    9. Perform the Virtual IP Address configuration.
    The VIP configuration will be transfered with the backup and restore, if you have new server names the VIP will not be active on the new servers until you manually activates it.
    10. Validate the authentication request.
    If you have 6.8+ formated platform and accesses licenses 6.11 will accept them. You can utilize the same licenses on both the 6.10 and 6.11 servers at the same time during the migration phase and the license will be possible to activate in 6.11 without contact with Aruba TAC.
    6.11.6 contains some security related issues and 6.11.7 was released to address these. See ARUBA-PSA-2024-001 on https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt
    With the approach of just moving the VIP address you will not have a long downtime. Only during the move of the VIP addresses, and this can be reduced to a few seconds.
    If you have had two VIP addresses and both configured as Radius servers in your switches and WLAN infrastructure you could eliminated the downtime to nothing by moving the VIP's one by one. This also let you have both servers active in processing the requests.
    Keep in mind that 6.11 introduces TLS 1.3 with PSS RSA algorithm, and some older computers have a TPM chip with a bug that prevents successful authentication if the certificates are stored in the TPM. More information: https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Apr 04, 2024 11:28 AM
    Someone pointed out this recently..

    When you restore certificates and are not using HTTP EV, make sure you disable the self-signed one, as it will take precedence over the non EV cert.







  • 4.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Apr 05, 2024 08:06 AM

    I missed the part where they said the CPPM server is joined with AD. That is only needed for EAP-PEA_=MSCHAPv2 which has been deprecated for years.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 5.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Jul 05, 2024 03:36 AM

    Hi jonas.hammarback

    This is very useful, however, What if i create VM with the same name and different IP address parallel. restore the configuration, insights and session logs. 

    Once both Publisher and subscriber is up and running in a cluster re  IP them with older IP addresses? Please advise.




  • 6.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Jul 05, 2024 09:37 AM

    Hi

    Changing the IP of a ClearPass server require the database certificate to be replaced with a new certificate with the new IP in the SAN field. In ClearPass 6.11 this is done automatically, but takes some time.

    My experience is that changing the IP of the server in a cluster may cause the cluster to stop working and you need to drop the subscriber(s) and rejoin again after the database certificate has been updated.

    If possible I would instead keep the old server IP addresses as VIP addresses on the new servers, this way you don't need to reconfigure the network infrastructure if you point the IP in your RADIUS configuration.

    Just as information, VIP addresses can't be utilized in could deployed ClearPass servers.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Jul 05, 2024 10:07 AM
    Ahan! 
    I am planning to then just configure Publisher first with old IP address after bringing down the 6.9.13 publisher (old). And then subscriber once publisher is up and running. 
    Do you think its a good strategy? 





  • 8.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Jul 05, 2024 10:14 AM

    Hi

    This will work, but if you start with the subscriber instead, you will still be able to manage your old 6.9.13 cluster. If you take down the publisher first you can't do any changes in the configuration nor will any guests be able to create guest accounts.

    Starting with the subscriber on the other hand will give you two separate cluster with it's on Publisher, this way you can manage both the 6.9 and 6.11 environments. This will also allow you to have a longer transition time and time to perform testing in the 6.11 environment to make sure everything works as intended.

    When you have completed testing in 6.11 you can move all authentication traffic to the 6.11 cluster and do the subscriber.

    But I have in most cases brought up the 6.11 cluster on new IP addresses and this way had full redundancy in the old environment during the process.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 9.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Apr 05, 2024 11:42 AM
    Edited by cochranes Apr 05, 2024 11:43 AM

    Couple of gotchas that I encountered:

    Be sure to change "Enable Pulisher Failover" to False before taking the backup. Otherwise it will not allow you to add subscribers after the restore.


    Also, this is likley obvious to most, disable the HTTPS ECC (assuming you are using the RSA) cert on both the publisher and subscriber. That configuration is independant per server. 


    Something I ran into using the same DATA IPs, I had to disable the 6.11 VM data interface from VMWare in order to configure the same IP, otherwise it would continue to detect duplicate IP even though I had already downed the old ClearPass physical server data port. That was an odd one, cleared router cache and everything trying to get around it but it kept detecting it.


    What I did to keep the old cluster available, was to use new mgmt IPs and keep the old cluster alive only on the mgmt interfaces. That way the cluster stays together, you could still point things at the old mgmt IP to test if needed and can login to verify config transfer completeness. This is assmuning you have the VIP assigned to the data ports.




  • 10.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Apr 05, 2024 12:10 PM

    Pay attention to how Insight is configured in your cluster and make sure to manually set that in the new cluster prior to loading new config.  I have found that Insight roles are not automatically restored, and this can cause a large error volume with rather cryptic error messages when configuration is loaded from the old cluster.




  • 11.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Apr 11, 2024 02:09 AM

    Thanks everyone for the suggestions.

    Now we are in a plan to build a publisher with new IP address and restore the existing ClearPass configuration backup to the new one.

    Test the authentication from one location  by creating new SSID in the new ClearPass. During the downtime window we will replace the IP Address .

    My doubt here is if I restore the configuration whether the old IP got applied to the new clearpass ?

    Any other suggestion here are welcome.




  • 12.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Apr 11, 2024 07:53 AM

    The server IP Address is not saved in the backup file.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 13.  RE: Need suggestion for the 6.11 Upgrade.

    Posted Apr 23, 2024 12:45 AM

    Transferring the current production ClearPass configuration to the newly established ClearPass in the test environment shouldn't cause any disruptions, correct?

    We intend to conduct authentication testing in the test environment for a week in couple NAD device only.