This will work, but if you start with the subscriber instead, you will still be able to manage your old 6.9.13 cluster. If you take down the publisher first you can't do any changes in the configuration nor will any guests be able to create guest accounts.
Starting with the subscriber on the other hand will give you two separate cluster with it's on Publisher, this way you can manage both the 6.9 and 6.11 environments. This will also allow you to have a longer transition time and time to perform testing in the 6.11 environment to make sure everything works as intended.
When you have completed testing in 6.11 you can move all authentication traffic to the 6.11 cluster and do the subscriber.
But I have in most cases brought up the 6.11 cluster on new IP addresses and this way had full redundancy in the old environment during the process.
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Original Message:
Sent: Jul 05, 2024 10:07 AM
From: asim.ieee1
Subject: Need suggestion for the 6.11 Upgrade.
Ahan!
I am planning to then just configure Publisher first with old IP address after bringing down the 6.9.13 publisher (old). And then subscriber once publisher is up and running.
Do you think its a good strategy?
Original Message:
Sent: 7/5/2024 9:37:00 AM
From: jonas.hammarback
Subject: RE: Need suggestion for the 6.11 Upgrade.
Hi
Changing the IP of a ClearPass server require the database certificate to be replaced with a new certificate with the new IP in the SAN field. In ClearPass 6.11 this is done automatically, but takes some time.
My experience is that changing the IP of the server in a cluster may cause the cluster to stop working and you need to drop the subscriber(s) and rejoin again after the database certificate has been updated.
If possible I would instead keep the old server IP addresses as VIP addresses on the new servers, this way you don't need to reconfigure the network infrastructure if you point the IP in your RADIUS configuration.
Just as information, VIP addresses can't be utilized in could deployed ClearPass servers.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 04, 2024 12:23 AM
From: asim.ieee1
Subject: Need suggestion for the 6.11 Upgrade.
Hi jonas.hammarback,
This is very useful, however, What if i create VM with the same name and different IP address parallel. restore the configuration, insights and session logs.
Once both Publisher and subscriber is up and running in a cluster re IP them with older IP addresses? Please advise.
Original Message:
Sent: Apr 04, 2024 02:33 AM
From: jonas.hammarback
Subject: Need suggestion for the 6.11 Upgrade.
Hi
The plan looks good and will definetlly work. Personally I would do some minor changes. See my comments in red after each of your actions below:
1. Take the backup of the server, certificate, and licenses.
2. Take notes of the static routes you had manually add in clearpass CLI
3. Take the screenshots of the services and certificate trust list.
4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).
Instead of using the same IP addresses i would consider assigning new IP's to the servers, this way both the old and the new cluster can be up and running at the same time. Also give the servers new names as this will make it possible to have all the servers joined with AD at the same time.
5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and Subscriber will take control of the authentication
6. Perform the basic configuration.
a. Activate the platform license.
b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)
Consider giving the servers new names, so you can have both the old and new ones up and running in parallell.
c. Join them in the domain.
7. Upload the backup configuration to the new publisher.
If you stay with your initial plan to have same IP and hostname, start with the subscriber instead. You may want to be able to test the 6.11 installation for some time before you switch over, and during this time you also may need to do some updates in the 6.10 cluster, or guests need to register.
8. Power of the subscriber and bring the new 6.11 subscriber online.
9. Perform the Virtual IP Address configuration.
The VIP configuration will be transfered with the backup and restore, if you have new server names the VIP will not be active on the new servers until you manually activates it.
10. Validate the authentication request.
If you have 6.8+ formated platform and accesses licenses 6.11 will accept them. You can utilize the same licenses on both the 6.10 and 6.11 servers at the same time during the migration phase and the license will be possible to activate in 6.11 without contact with Aruba TAC.
With the approach of just moving the VIP address you will not have a long downtime. Only during the move of the VIP addresses, and this can be reduced to a few seconds.
If you have had two VIP addresses and both configured as Radius servers in your switches and WLAN infrastructure you could eliminated the downtime to nothing by moving the VIP's one by one. This also let you have both servers active in processing the requests.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Apr 04, 2024 02:08 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.
We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)
In NAD device VIP address is configured as Radius server.
Upgrade Plan
============
1. Take the backup of the server, certificate, and licenses.
2. Take notes of the static routes you had manually add in clearpass CLI
3. Take the screenshots of the services and certificate trust list.
4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).
5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and Subscriber will take control of the authentication
6. Perform the basic configuration.
a. Activate the platform license.
b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)
c. Join them in the domain.
7. Upload the backup configuration to the new publisher.
8. Power of the subscriber and bring the new 6.11 subscriber online.
9. Perform the Virtual IP Address configuration.
10. Validate the authentication request.
Correct me if anything I have missed and database backup size is 90 MB.
During the first login whether it will accept the platform license key of the old server ?
I am planning to upgrade to 6.11.6 Is it ok ?
What will be downtime required for this upgrade ?