Security

Hello All,  We currently have two ClearPass appliances in a cluster setup (1 Publisher and 1 Subscriber) installed in VMware. We are planning to migrate the Subscriber to a KVM-based virtual machine, while maintaining the same IP address.

Could you please advise if there will be any impact on the following during the migration:

1. Cluster Synchronization 

2. Virtual IP (VIP) Handling – 

If you have any guidance or best practices to ensure a smooth migration process without disrupting the cluster sync or VIP functionality, that would be greatly appreciated.

Looking forward to your input.

Hi

When I move to a new server within the cluster and have VIP addresses configured I prefer to configure the new server on a new IP, patch the server to the same level as the current servers and make the new server a subscriber in the cluster and as a final task move VIP address(es) as needed.

After this just drop the old server from the cluster and decommission.

If you would like to keep the same IP you have to shut down the old server before bringing the new server up with the same IP. But the process is more or less the same.

As you move the license from one instance of ClearPass to another you need to contact Aruba support and ask them to enable the license for Activation again.

Remember that service parameters, routing entries added in CLI, hardening of subnets that can access admin pages etc isn't included in the cluster configuration nor backupfiles. Thus all settings under the server object in Server Manager that have been changed from default must be updated manually.

Hello All,  We currently have two ClearPass appliances in a cluster setup (1 Publisher and 1 Subscriber) installed in VMware. We are planning to migrate the Subscriber to a KVM-based virtual machine, while maintaining the same IP address.

Could you please advise if there will be any impact on the following during the migration:

1. Cluster Synchronization 

2. Virtual IP (VIP) Handling – 

If you have any guidance or best practices to ensure a smooth migration process without disrupting the cluster sync or VIP functionality, that would be greatly appreciated.

Looking forward to your input.

Hi @jonas.hammarback , 

I plan to first power off the existing subscriber, then change its IP address to that of the new subscriber and add it to the current publisher. However, I'm unsure whether we should power off the subscriber first or drop it from the cluster before shutting it down. Also, do we need to remove the subscriber's IP address from the VIP before making the changes?

Hi

When I move to a new server within the cluster and have VIP addresses configured I prefer to configure the new server on a new IP, patch the server to the same level as the current servers and make the new server a subscriber in the cluster and as a final task move VIP address(es) as needed.

After this just drop the old server from the cluster and decommission.

If you would like to keep the same IP you have to shut down the old server before bringing the new server up with the same IP. But the process is more or less the same.

As you move the license from one instance of ClearPass to another you need to contact Aruba support and ask them to enable the license for Activation again.

Remember that service parameters, routing entries added in CLI, hardening of subnets that can access admin pages etc isn't included in the cluster configuration nor backupfiles. Thus all settings under the server object in Server Manager that have been changed from default must be updated manually.

Hello All,  We currently have two ClearPass appliances in a cluster setup (1 Publisher and 1 Subscriber) installed in VMware. We are planning to migrate the Subscriber to a KVM-based virtual machine, while maintaining the same IP address.

Could you please advise if there will be any impact on the following during the migration:

1. Cluster Synchronization 

2. Virtual IP (VIP) Handling – 

If you have any guidance or best practices to ensure a smooth migration process without disrupting the cluster sync or VIP functionality, that would be greatly appreciated.

Looking forward to your input.